Malware Analysis Report

2024-09-22 16:35

Sample ID 240403-z6dp1sdd88
Target a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118
SHA256 93dc6becd9d4c16eecf188a19798f9cbbde3281270efe869f8f6c81a7815a74f
Tags
babadeda cryptbot crypter loader spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93dc6becd9d4c16eecf188a19798f9cbbde3281270efe869f8f6c81a7815a74f

Threat Level: Known bad

The file a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

babadeda cryptbot crypter loader spyware stealer discovery

Babadeda

CryptBot

Babadeda Crypter

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-03 21:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 21:19

Reported

2024-04-03 21:22

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

CryptBot

spyware stealer cryptbot

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIE5B3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE67E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE73B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE826.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF080.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e032.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e032.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE43B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e035.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e035.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2556 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2556 wrote to memory of 1204 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe
PID 2556 wrote to memory of 1204 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe
PID 2556 wrote to memory of 1204 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe
PID 2556 wrote to memory of 1204 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe
PID 1204 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1660 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1660 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1660 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 91FC1B46A781A3C163818CF8D04943DB C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\adv2.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1711919732 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B63CB0E1F4D0D0F3E171DF032286965E

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe

"C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mYIWJGIsgXQmW & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

Files

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\decoder.dll

MD5 454418ebd68a4e905dc2b9b2e5e1b28c
SHA1 a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA256 73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512 171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\adv2.msi

MD5 4194f484a9eddbf061602ca3518109fa
SHA1 d0ce65bca7177b505c77b86133c926a6d59238bf
SHA256 518f0ee6728f89bca8d394aadfd77a0cba35308c25225eaffd2ed04daa6cfb71
SHA512 a4c1badbc35bb79f14595c83a3dee09aeab18891fd343dfe597e680e891c6a7b333b947d939933f4c0e441cd8645e78dafb042992a0b6a4820a5fc5a5d4ab093

C:\Users\Admin\AppData\Local\Temp\CabCFFE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarD06E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarD525.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\MSID777.tmp

MD5 3d24a2af1fb93f9960a17d6394484802
SHA1 ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA256 8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512 f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

C:\Users\Admin\AppData\Local\Temp\MSID95C.tmp

MD5 0be6e02d01013e6140e38571a4da2545
SHA1 9149608d60ca5941010e33e01d4fdc7b6c791bea
SHA256 3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512 f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d745d13cc84429559eba5fc7e109d02
SHA1 15d4a9cb4109c448a6a853565afc497853b405a4
SHA256 d68d5ee86db0620c2d7a6393eb5374fa7fddee5e4c9c1275cffe60d495cc64b1
SHA512 de4fcc7d1259b866aa01dda00ed81806f0a198f8fd45d0194cd031e3e84df342c8c9ff71ee5dffa898a3a7993dba8cb9c0df3b43ed590d340ac1ae6efa09420a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb7a6d27c9a126a77af2746c4c4f312a
SHA1 56a60a353240812e1e7009869694e0ff37035a15
SHA256 4cd750ca332aa25ce5f7267776119014853dd847c311061449197e3b41f0b040
SHA512 8dac4f9c935cb80a428c8c79250dae7cdc04745f4c89a774e5a207c81954d3d1462597600fee65fa79098e6e60f9cf563be643de80161d5e7b43baf4629adb58

C:\Windows\Installer\MSIE826.tmp

MD5 2a6c81882b2db41f634b48416c8c8450
SHA1 f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256 245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512 e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\basswma10.dll

MD5 a1b72973bb9af880f8d90f15c45764d4
SHA1 25491e8d1bfea8212b21c3acfb4f3232522e2a8a
SHA256 9230e808b848f07d23f814b2401f6a11d9753338912361e10d0962b1bf603bb1
SHA512 9749ca312902cfc5aff12e41119e9a6a98c2a67d8c80d1793bb8f75e930158734f29e965e6215aa19a0fec437697a0c00e2f440c0c9839aac4200b9ebd0dd09e

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\cecilcore.exe

MD5 fa13d6d888e69b5b795fcfed11b2492c
SHA1 e96008828cb3bc7f98208bb7e76e694e4f4b85cf
SHA256 f9c1794ea531bc185b1c1449b516a198c74075629d75569b710fbececa864298
SHA512 35c0b99db5fcae02f7309919802b7b4ff4a17d3c87cb6edc21891c7eefcbf2ba344eb4b3c213bff43e6b5b892a9f9a2db6fe8269c2a76376bb8d57d7f62f76cd

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\sig

MD5 a96984d1c71c6799cbbf44c19adc046b
SHA1 b2fb68f027dd71184d8872d7ff8aa6deefc8bfb1
SHA256 a453bc91e3a825078753c667c22f606412d2a4cc995e975eafb1ae178afb6117
SHA512 920aaf54812a962c42f188fe1ea4c1cec77036bd72b27351b36aedb530fb517d9a9332ef132d16ee2d468c6087f7a1a11dd1090f51d1374eadb22b81961ec1c1

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Common.dll

MD5 5026b281f29df1f4c2ab120a70f3550f
SHA1 7ae56eb0d2fa8b52f95d1f4ba692cd6caa95545f
SHA256 e3dc7ea9412525f29f4a13d412a8b64d7da0e18f5c506d26df5d958f7667280a
SHA512 0a1afe8f22d8362b55b86a40589116e94f4c1ce56ec1ee5ce633eb881314304f31a69d683b70011d3d9ac3b25b6af96315573d270dbcb28148919a435affa7d6

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\libEGL.dll

MD5 89a6ab09dac37a28f2267c8b65ff55c5
SHA1 9ce53e0e5b904b6a94b4d4988096609636bd14e4
SHA256 5efc0aeb984eb7691305b362088406ab82d5b2d9fc7ad6332f0d6e0919762cd0
SHA512 0806db4d43b5841f76b773df37b2548bc2dbf968df59d4538181be31f0434eb098b9e229f7cbe524a31eb75cbabc50972236bb9eaf30b4f15e4f2cfede7fce14

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\LICENSE.electron.txt

MD5 f8436f54558748146ec7ebd61ca6ac38
SHA1 ef226e5b023d458efcdc59dc653694d89802f81c
SHA256 34f6f27c26d1bb8682ebb42ae401f558228fd608455bd7c6561d5fd500b7d05b
SHA512 5b310b48bbee286f03e645e4bfad0ec870a7c68c445d54f46f3eaaa9c427f9de6cd0561d451838bd53c78a5289e9f0bda19cda4257a4657580afa6c357913050

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\plugin_core.dll

MD5 b79d7159ba735958c18148dcdf543571
SHA1 d7d4d4aedf7897092665dfc573e9fe9c313c2fe4
SHA256 638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52
SHA512 79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\skin_draw.dll

MD5 72ad6c45aaf461326f5a512afb4b33b0
SHA1 4b6791aa02c76e96256bf19ec9ff828303a308b8
SHA256 dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305
SHA512 5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\clock_common.dll

MD5 85d02f053f1151ac4d3fdda5ea10adc6
SHA1 a134e20a33387a3bfe256b36585d9ccb6113a29f
SHA256 989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564
SHA512 146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Buffers.dll

MD5 ecdfe8ede869d2ccc6bf99981ea96400
SHA1 2f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256 accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA512 5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Memory.dll

MD5 6fb95a357a3f7e88ade5c1629e2801f8
SHA1 19bf79600b716523b5317b9a7b68760ae5d55741
SHA256 8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7
SHA512 293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Numerics.Vectors.dll

MD5 aaa2cbf14e06e9d3586d8a4ed455db33
SHA1 3d216458740ad5cb05bc5f7c3491cde44a1e5df0
SHA256 1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183
SHA512 0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Qt5TextToSpeech.dll

MD5 3cdb361b43a3ce45145df5bad519df63
SHA1 8f7cfe31068584151bf913171c82949fd7a945f2
SHA256 8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13
SHA512 88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\WindowsInput.dll

MD5 eda6dcf70b3423d40078e5440fad3704
SHA1 0ddee7bf081fa20e71683d9ab2029ce93a7ee1b3
SHA256 f44326a1a2e2fecb4029c19b7a5c0777821cd6bae9b415989d3f8007c15861d5
SHA512 0b0f3b889ebc1a88b0fff477256fa5b234e520c64f0a695f125c0226133f35c2d6f57c83de648fce19e30fbecf9ce401475221d8f761c896479cca4d4a96c3f8

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Interop.IWshRuntimeLibrary.dll

MD5 9569c5ddd9ab1e7bfd24e41250a67903
SHA1 304afddbbaac26843cf53b9713e09a85fe525cac
SHA256 6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83
SHA512 7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\LICENSE.txt

MD5 fc292eaec94367e0775fa0638880ebce
SHA1 fa5ff95ef7e8f5ad9cfc77738f5e6c0ca96572dd
SHA256 971f1733cb237ddd626e579954938c6fc0e925ccbf885074ad5fcf19b4efbe2e
SHA512 4f3ceb0d390f47fae7294db5399177a1128dd196cf58a45768984c1783ae4e0c0d0746aae716b2a08f7058df214494a7fb20c8bc982d0e3b8cb3d70ccef7917f

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\postinstall_readme.txt

MD5 24ac8ba156f8fbfd86a4292e4f44631b
SHA1 081d1ec03058bba9ff43b40f39891b82a3cb3b6e
SHA256 37c45cea617294e1aff68e83fdf0ff14ca454049f9896b5ccd2bdeb22140fa1e
SHA512 9874047be537596921ee8375e274499dce122f45257c714c0bcab5ba5e9a91540c37578b9f96e4a9a3376c3a311ef934b85758db1aa8d71329dce74ed17f6581

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\README.txt

MD5 7539e219a0d2331524b97605c4fe641d
SHA1 718d7c209915ff4944a81ef38701542d63ea30e2
SHA256 3f169438204953468391d382ca1813c54a0301b733c59bef9178c2d55e9e7e0b
SHA512 c8886ba4445e612bedb7c9f8b8b7044c016ea45ad5f80b1a9082707a2b7c5334bfe6b7ac8df4c2f603d0bfd1dbb727691d65e3a6c14acc78104b869c9bb97dca

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\CHANGES.txt

MD5 109e9d23496dc406050f895409be2531
SHA1 5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef
SHA256 b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2
SHA512 548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Mono.Cecil.Mdb.dll

MD5 a269c436d17634aecf2ac0e95c44728c
SHA1 3dae54046aa5edbcf58ff38acc1d12682e3442b5
SHA256 f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27
SHA512 bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\TurboJpegWrapper.dll

MD5 f5639d78d8c860df0176b1499695e8b3
SHA1 a70f699d75903ca2ae31098f4687add23245804d
SHA256 9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2
SHA512 2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\COPYING.txt

MD5 3c34afdc3adf82d2448f12715a255122
SHA1 7713a1753ce88f2c7e6b054ecc8e4c786df76300
SHA256 0b383d5a63da644f628d99c33976ea6487ed89aaa59f0b3257992deac1171e6b
SHA512 4937848b94f5b50ea16c51f9e98fdcd3953aca63d63ca3bb05d8a62c107e382b71c496838d130ae504a52032398630b957acaea6c48032081a6366d27cba5ea9

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\AForge.dll

MD5 02c63f568e598aad85dd401d7b26e82a
SHA1 2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SHA256 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
SHA512 da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\bootstrap.min.css

MD5 930dcbc9f2338de708fc0a1b83bf4509
SHA1 d7d00b64854a54676c86095289e5def76b98ac96
SHA256 e57af0825712ee377ae2058e81fad4f4f0797ff8f8a25db7986a9e64d4c1696f
SHA512 ebccc26d94d200b015ed6ff9887c969aea1de694ec559724fd06f26a6e40fbeed15cc27be7b7fd051b08b8724a78993feddad5211e1d5b9e0d9ae07ffe22df15

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\codemirror-show-hint.css

MD5 d10a1f4608d7efee6e1324f695a97d53
SHA1 4694e77be609ddf88b05776e6a48e1be5ef878d6
SHA256 ca2f7e4e1f3ae6f24dea4530d1689d6047486a2f3fe3e7263cea588ba50308ba
SHA512 44ee29c9521b5ee5d1dcdb19eaf17e494d317c1ed587ee9422b3ff4b5308f4fee532b7fe17cf532327a138b4df6d03b1cd0ac49868d78475d16f9abf5203719b

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\codemirror.css

MD5 e055267740a559a23894deaa50d05ac4
SHA1 2d8958657e19ac0b6d4c67c712d51c515d9c2310
SHA256 959c7856fea239bed270e36a5dddbe88e9df41282f7825980ff4f138eb13ea0d
SHA512 64deec31251c458da8e70c33ee9da0af47a11eecfa6ff832bbd5c8e1ad605af42f2b86effc8a35037c69c64ac8880a38721da814cadf8b1593f6a911a01deccc

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\strokesplus-net-custom.css

MD5 cfe32358318a1928a7bc0bce112e2327
SHA1 c619fd30dfdf41a2000b9b672df021853ec10ffe
SHA256 c255bbd1adfca403430b817de645bd182a2a3073c5a21c0d453135b54be18b8b
SHA512 0bfc64084cc1d5dfc2218939809e5be92cad7595d7edbb0870bac709a7c3429b1170cb53dd5323c3af29f8674c2bdee8d8d1fcd6200b2c14e986631b9b50b68c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\codemirror-autorefresh.js

MD5 acf40711fa45f55dc8151c5a5c9dbdc8
SHA1 22bdf3f1a0fce9e7a39acc91e4aae131f970e025
SHA256 e5c187fdd5c12381b40c0353151b4df5f2683974227bb49818979f7b46b7e58f
SHA512 5ce912d75c7dcd5c73894a481eefd5224e6e3d43d80f934240a9cd6611db19dee279f9585d09be1eb5d19097c6ac22154ed5139237a1b1f1d64e9a9496e563ca

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\codemirror-javascript-hint.js

MD5 e02e3288291152006a345a01157f52b1
SHA1 c5e89f23a97da8413d628fe28cacb0cfae9a695a
SHA256 b0ad564bab726f3d22bf6ccdf411c3b3f114137801cafb895b495c142692fa96
SHA512 91af819cd8805ba4fa0eec032539c501fed91072f6747d25100b062b90233900f9d530c68c6711376c4594ff86195d39436e2d9ffe07df389b9295f25b4fb2c2

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\codemirror-matchbrackets.js

MD5 d2142081656b946bc138ceedef12f110
SHA1 30da17d695fd90ef7f6ad1ee0ad687ea003173ea
SHA256 acb4d9f072d524666b6999def93b56f2eb9734efd6e88d01d876449d913dc9b5
SHA512 2835a19c2cffb6aae8316478a8f0ac6bbee5bb8365460008085a016078d661b5a7ff37e88109d387a48a7eeeab099db95899c6909c5124d43a2619120cdcede5

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-applicationeditor.js

MD5 84a8abb51fe73fadd307a23e19fc1b4a
SHA1 359cee1fff2096efd100b96118beea7eb476813e
SHA256 a543b62da0d5c46580cd4a458c43fa1470b790ca72723640a16bc5176a8a535b
SHA512 a3c81afd5c587c03f2d69125c439ae847e9f3c791c60d4b1d3f9ad988c27485479bad3f7096def435eeef1be2feefe1c2f918781ac9f6bb73970f1cfae3287bd

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-applicationlist.js

MD5 d0e079183bee5523e5738e0f57353345
SHA1 ca9b3f53c01f29740e4a7960273391acc884a05d
SHA256 6aaad853f929abe47b191d36f34bc37a2c4255f4775bf80853e55a6475fb4ff0
SHA512 a0cf946c1aa32c7885230cdf2d9a19b643f517ec28155cced2c5e6801785d96e7e5c4e8f09b2107cba681e7c438308b15b3c786effbea6fcea9b18fc04343d07

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-load.js

MD5 90647a282f5507897418f1b93b1fd429
SHA1 b9562248342eb5ff8d40f7144858123cf022eba7
SHA256 e638cd7ffd900370eeaefce5f76e67502e4e6c533314fa3884491dda5b34bdc5
SHA512 86fcc0a413a3946141d8fba702902585dfa725dfce26439b3abbd7ba531580f28055a18e497dee84b42633afa14591460e72720e8d3b526d3f9ca18ef6376cc1

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-menu.js

MD5 ef5f68814a70144c054802048ee0db80
SHA1 22af70331159703b4a2c6cac3bcb7e92ac316271
SHA256 786661250d3a23c9edb9a812d8c18151ed38cb47a8dc7dd26194ff735eccb11d
SHA512 74065bc3727b1ecc1c575d5a694f6052835ad87bc83e97841a2802aacfef414c6a60be20dbebe9e0879be3fd89154619842a406f99acf03ba7d63a35be0b145f

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-modals.js

MD5 1ef87a281123c5cf05a27abb05cce9bf
SHA1 4e45ad0f4ac6572cf9f6c3d30b5b2bf417f60aaf
SHA256 2e934f10ea7d49b0a45a80312944ba8c8ade999995a6a54f13ee4ac1a88a94ea
SHA512 2ca5dab215b025d5c5b49a48faad291b580889fef8662ad40dec05166ed9daa0a005e873dff37ed91ff6957ace763525f930963c5563315a11b608445cccb3df

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-scripteditor.js

MD5 c76f02e12e1bd7e8a484ce78913a5881
SHA1 6af07c90c7fa0e8d5b43264d4b3fa4a74c3a25ce
SHA256 8a1dd204ceb91d148dd460b5ba13eed0e60cfabdd17dd8425aca50bb513922c2
SHA512 828e33312deeb0c138e14a6318055e15036bd367f5936a353a3da2c925a039dff98024f2aa861165a9c8ca0107fad21dcb43be009c5f5916c787c455eba52ac9

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-stepsscript.js

MD5 86a6f8437cbfdaa196d7ae2ea3eff024
SHA1 05ef040e39ccbd8eeafeeb3e68c1d581c72aecaf
SHA256 e55a40b29c4d0c6486a5de06339df942df684eefa5cd2467d25912eeb58eaf7d
SHA512 624eb001ca62838f545e68fba6a68601bbd98008c5ea084ae5889b4e6200194c4d441c4cbe1fbae00bd37e91224511563aa927b5deaea4789ba30a084c32e565

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-toolbar.js

MD5 3565523f8a48212afba16dda4edb5a79
SHA1 c12de32579532c8a001cd441c2be3aeab89fb973
SHA256 408f0bcec00b4bccaa3e5027fdb9b41f2132f64f6b45cef605d23c7e34cf3c0b
SHA512 f354a906d11c1e1f564ed7dbcd5d3fed5db4485820eae9c435e01cb85d4f679bd791078dbba1b1a16425a53c244bda7e7f4c425078710bce1a406d58df4df2ff

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\strokesplus-net-utilities.js

MD5 fbbc2c82a901706313fa662d87157b51
SHA1 34a6907255f00544d88cf76c9a9bb9edc36cecae
SHA256 00de4f095edd15c610df1455794befd35f69ddf8cb90d50d5769c32b7af63b97
SHA512 9acbe4fc210882d706a0779627a01ace939bbf6bd0cde89d970249a14e17c9bca8f5aab12e2f56bc8e80f0f282b8aea6fab29314a8b50e726c47fed5a61df041

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\settings.html

MD5 d5bfe7e5091e21b227d2902936d58c4f
SHA1 326b6c6de0e045ab194904ff051839bee344487a
SHA256 1b50734d8509c1a0a56cee933e0fa59871f0d89f433f880fd22bcc6dbaf91667
SHA512 221c2b7da8a2727cf7022fb4403f6859a2193144f72a232a2f3da402507bcc75fd0618c3368b96d0f33581607323379e5584069cfe872996d94d2ca8631c3970

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\locale\de\LC_MESSAGES\default.mo

MD5 c41f0999d7326fbd354bbb86b0c1a8af
SHA1 590e72b3fc64f09ab4e4ea2e42285c09ad933b64
SHA256 eff1bb0c9e6c16989b09346f526c90d80e1a748a779856953ea3e69f92b68fea
SHA512 e7aa424b77f27e526922c5658555b56cf42f2b20b7b14a9c86ad136b521ac0195dcad04ee7a302d034153bea94f3e36695f6100ebebffda216a2f3692646d8cb

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\locale\es\LC_MESSAGES\default.mo

MD5 943e56b4a41280e72db9c212e7469e1c
SHA1 9a0d7a277a923c6f6b8b8909310965f03d2143d5
SHA256 eed96f63a25ea4ff4b91e801d9bfd94c3249d975320e0fac5ef8b5e45a58985e
SHA512 e3fe207cf0f05dccb893124cfce136e7ec7ff81e6d20ee8bb2326f81a8f1cbef8031087f4addeb5bda96e7176c5d3b997c5357d5071867a7c5cd2223f63f81b9

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Config.Msi\f76e036.rbs

MD5 a5c040adf5cfe01cf03235559110bff2
SHA1 cb20a699bd5350dc4a5f390277a445849d0b616f
SHA256 9079bfe26b707079d36dd01508605364abc3901c5e5cf3e0c3b2969b42aa0c21
SHA512 b6d9412596e462203ec38460520ef2053f348c89ecda2e67ea252a8ccd425b31a5c88178df436201a856792f2202a782924bc48775ad2a5c352f7e3aa283be49

memory/1204-414-0x0000000000190000-0x00000000004B2000-memory.dmp

memory/1204-419-0x0000000000190000-0x00000000004B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 21:19

Reported

2024-04-03 21:22

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{3F37F03B-187D-4A06-9F93-2396D40388DB} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e578702.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A5E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8BC7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8CF2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8DAE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI938B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8B68.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8C26.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e578702.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4940 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4940 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1744 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 1744 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 1744 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 4940 wrote to memory of 1428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4940 wrote to memory of 1428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4940 wrote to memory of 1428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4940 wrote to memory of 3908 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe
PID 4940 wrote to memory of 3908 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe
PID 4940 wrote to memory of 3908 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7CD1B96D823EC47A4D4F3AE6ADB2F157 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\adv2.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a6e9b1557039c81fc4d4afabc0399f6a_JaffaCakes118.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1711938567 " AI_EUIMSI=""

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8B4CBB5C08D113BC04A6E32768CAC87F

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe

"C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\cecilcore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 cemujq44.top udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 cemujq44.top udp

Files

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\decoder.dll

MD5 454418ebd68a4e905dc2b9b2e5e1b28c
SHA1 a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA256 73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512 171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\adv2.msi

MD5 4194f484a9eddbf061602ca3518109fa
SHA1 d0ce65bca7177b505c77b86133c926a6d59238bf
SHA256 518f0ee6728f89bca8d394aadfd77a0cba35308c25225eaffd2ed04daa6cfb71
SHA512 a4c1badbc35bb79f14595c83a3dee09aeab18891fd343dfe597e680e891c6a7b333b947d939933f4c0e441cd8645e78dafb042992a0b6a4820a5fc5a5d4ab093

C:\Users\Admin\AppData\Local\Temp\MSI8202.tmp

MD5 3d24a2af1fb93f9960a17d6394484802
SHA1 ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA256 8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512 f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

C:\Users\Admin\AppData\Local\Temp\MSI837A.tmp

MD5 0be6e02d01013e6140e38571a4da2545
SHA1 9149608d60ca5941010e33e01d4fdc7b6c791bea
SHA256 3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512 f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

C:\Windows\Installer\MSI8DAE.tmp

MD5 2a6c81882b2db41f634b48416c8c8450
SHA1 f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256 245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512 e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\basswma10.dll

MD5 a1b72973bb9af880f8d90f15c45764d4
SHA1 25491e8d1bfea8212b21c3acfb4f3232522e2a8a
SHA256 9230e808b848f07d23f814b2401f6a11d9753338912361e10d0962b1bf603bb1
SHA512 9749ca312902cfc5aff12e41119e9a6a98c2a67d8c80d1793bb8f75e930158734f29e965e6215aa19a0fec437697a0c00e2f440c0c9839aac4200b9ebd0dd09e

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\cecilcore.exe

MD5 fa13d6d888e69b5b795fcfed11b2492c
SHA1 e96008828cb3bc7f98208bb7e76e694e4f4b85cf
SHA256 f9c1794ea531bc185b1c1449b516a198c74075629d75569b710fbececa864298
SHA512 35c0b99db5fcae02f7309919802b7b4ff4a17d3c87cb6edc21891c7eefcbf2ba344eb4b3c213bff43e6b5b892a9f9a2db6fe8269c2a76376bb8d57d7f62f76cd

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\sig

MD5 a96984d1c71c6799cbbf44c19adc046b
SHA1 b2fb68f027dd71184d8872d7ff8aa6deefc8bfb1
SHA256 a453bc91e3a825078753c667c22f606412d2a4cc995e975eafb1ae178afb6117
SHA512 920aaf54812a962c42f188fe1ea4c1cec77036bd72b27351b36aedb530fb517d9a9332ef132d16ee2d468c6087f7a1a11dd1090f51d1374eadb22b81961ec1c1

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\settings.html

MD5 d5bfe7e5091e21b227d2902936d58c4f
SHA1 326b6c6de0e045ab194904ff051839bee344487a
SHA256 1b50734d8509c1a0a56cee933e0fa59871f0d89f433f880fd22bcc6dbaf91667
SHA512 221c2b7da8a2727cf7022fb4403f6859a2193144f72a232a2f3da402507bcc75fd0618c3368b96d0f33581607323379e5584069cfe872996d94d2ca8631c3970

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\js\codemirror-autorefresh.js

MD5 acf40711fa45f55dc8151c5a5c9dbdc8
SHA1 22bdf3f1a0fce9e7a39acc91e4aae131f970e025
SHA256 e5c187fdd5c12381b40c0353151b4df5f2683974227bb49818979f7b46b7e58f
SHA512 5ce912d75c7dcd5c73894a481eefd5224e6e3d43d80f934240a9cd6611db19dee279f9585d09be1eb5d19097c6ac22154ed5139237a1b1f1d64e9a9496e563ca

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\HTML\css\bootstrap.min.css

MD5 930dcbc9f2338de708fc0a1b83bf4509
SHA1 d7d00b64854a54676c86095289e5def76b98ac96
SHA256 e57af0825712ee377ae2058e81fad4f4f0797ff8f8a25db7986a9e64d4c1696f
SHA512 ebccc26d94d200b015ed6ff9887c969aea1de694ec559724fd06f26a6e40fbeed15cc27be7b7fd051b08b8724a78993feddad5211e1d5b9e0d9ae07ffe22df15

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\AForge.dll

MD5 02c63f568e598aad85dd401d7b26e82a
SHA1 2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SHA256 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
SHA512 da9bff86be8fa890dda80a35ee6c851aa655f087f81804a23c73f8c586b7e13ac5a643e0a516a35787cd97b392aec16bfb95210080e4e53e6144fec9316acdb1

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\TurboJpegWrapper.dll

MD5 f5639d78d8c860df0176b1499695e8b3
SHA1 a70f699d75903ca2ae31098f4687add23245804d
SHA256 9c8de413bf48e680ded9db3b3a4c7773642b9d6c76973ae95d40eb0cba31d4e2
SHA512 2098dd214db72b7f9b70c58cd1fcb53dd4982e441c19b3571941f9026e0dde0ae9005bb084ecb2f21ee2e24776fc95d60cb50b11fc536a68ad153efc1dc8ef0c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Mono.Cecil.Mdb.dll

MD5 a269c436d17634aecf2ac0e95c44728c
SHA1 3dae54046aa5edbcf58ff38acc1d12682e3442b5
SHA256 f02a2d8154ef002863702d6513c6773ebbb83e520834c2ac8e38c6a7f0174e27
SHA512 bbd1740bce3d1eecccaa560696cc5b0999a1e00c3d6747f3bb93ab44a5f9a2186f01048fa69e173b89c40b98bddf13c4de92564b13c0ec36eb96b69ec65dc157

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Interop.IWshRuntimeLibrary.dll

MD5 9569c5ddd9ab1e7bfd24e41250a67903
SHA1 304afddbbaac26843cf53b9713e09a85fe525cac
SHA256 6a80b9d1bd609a3cb6af8cf8c1534f7baca1d78ad353ce6ed5b578a0ba96eb83
SHA512 7bc2a98f9fb934212cbc7b8dac21ec38b89b39a3f60ef53490bb25d07c286d1db4da1757b766f323615185aa26f094e601337110da14224fcfe3ce016eaf0c54

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\WindowsInput.dll

MD5 eda6dcf70b3423d40078e5440fad3704
SHA1 0ddee7bf081fa20e71683d9ab2029ce93a7ee1b3
SHA256 f44326a1a2e2fecb4029c19b7a5c0777821cd6bae9b415989d3f8007c15861d5
SHA512 0b0f3b889ebc1a88b0fff477256fa5b234e520c64f0a695f125c0226133f35c2d6f57c83de648fce19e30fbecf9ce401475221d8f761c896479cca4d4a96c3f8

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Qt5TextToSpeech.dll

MD5 3cdb361b43a3ce45145df5bad519df63
SHA1 8f7cfe31068584151bf913171c82949fd7a945f2
SHA256 8f5a39d8e35d981a8200fb4a83b42b72ec71a9c5db16a09c5df69b001bfb2e13
SHA512 88722199a716dbe665204d9d192207594cd3819130d22c07133e8a229628f66e5eddab60dbb1759ba389cf42398c32eafca8b74e07b3dfce4c916fd8715d566c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Numerics.Vectors.dll

MD5 aaa2cbf14e06e9d3586d8a4ed455db33
SHA1 3d216458740ad5cb05bc5f7c3491cde44a1e5df0
SHA256 1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183
SHA512 0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Memory.dll

MD5 6fb95a357a3f7e88ade5c1629e2801f8
SHA1 19bf79600b716523b5317b9a7b68760ae5d55741
SHA256 8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7
SHA512 293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\System.Buffers.dll

MD5 ecdfe8ede869d2ccc6bf99981ea96400
SHA1 2f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256 accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA512 5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\clock_common.dll

MD5 85d02f053f1151ac4d3fdda5ea10adc6
SHA1 a134e20a33387a3bfe256b36585d9ccb6113a29f
SHA256 989354441731eafd1cd63285ab681176a43f08ea999362c5d792c9b2bcbd6564
SHA512 146233b07a3d81f7aa7c2a5e055935fb61307e20dc15b168c248f6d83f934d916184b568e39f7ad8c6ce28d26eb5b1605d6b2200b5ddc2b6cf0bc0dd114981c2

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\skin_draw.dll

MD5 72ad6c45aaf461326f5a512afb4b33b0
SHA1 4b6791aa02c76e96256bf19ec9ff828303a308b8
SHA256 dcf318a760aeecca2496417d5111b059867471919d2721d766da7d29d29df305
SHA512 5c495d059aa51beb4be143a9beb496f380b84f28bc4090e2c21f942e5847dfb5c2cdfd759636eacf4b2820fb6f68cccd8b60ce336a721d03575f45f9496f6b99

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\plugin_core.dll

MD5 b79d7159ba735958c18148dcdf543571
SHA1 d7d4d4aedf7897092665dfc573e9fe9c313c2fe4
SHA256 638aa5d39ae52d09317c001bb8163fbf1ffdea03e371ed61457d765ad35a5e52
SHA512 79b7ae9a722714c6d640f35b81e54fb9a0b8e6042b99705094d6e968736d1389ed0e2a90c5120955a458d158d9af8a485ff4b5dbc9227165c11dcf62fd180c71

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\libEGL.dll

MD5 89a6ab09dac37a28f2267c8b65ff55c5
SHA1 9ce53e0e5b904b6a94b4d4988096609636bd14e4
SHA256 5efc0aeb984eb7691305b362088406ab82d5b2d9fc7ad6332f0d6e0919762cd0
SHA512 0806db4d43b5841f76b773df37b2548bc2dbf968df59d4538181be31f0434eb098b9e229f7cbe524a31eb75cbabc50972236bb9eaf30b4f15e4f2cfede7fce14

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Common.dll

MD5 5026b281f29df1f4c2ab120a70f3550f
SHA1 7ae56eb0d2fa8b52f95d1f4ba692cd6caa95545f
SHA256 e3dc7ea9412525f29f4a13d412a8b64d7da0e18f5c506d26df5d958f7667280a
SHA512 0a1afe8f22d8362b55b86a40589116e94f4c1ce56ec1ee5ce633eb881314304f31a69d683b70011d3d9ac3b25b6af96315573d270dbcb28148919a435affa7d6

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\res\public\de\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\LICENSE.electron.txt

MD5 f8436f54558748146ec7ebd61ca6ac38
SHA1 ef226e5b023d458efcdc59dc653694d89802f81c
SHA256 34f6f27c26d1bb8682ebb42ae401f558228fd608455bd7c6561d5fd500b7d05b
SHA512 5b310b48bbee286f03e645e4bfad0ec870a7c68c445d54f46f3eaaa9c427f9de6cd0561d451838bd53c78a5289e9f0bda19cda4257a4657580afa6c357913050

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\CHANGES.txt

MD5 109e9d23496dc406050f895409be2531
SHA1 5a8659d65025b121c2a16d80d3d55cd9c3a5a7ef
SHA256 b58477a045a7411ff95ca8b1e055801d5d10055e2de52e1a94397919a09d82c2
SHA512 548fa0ec3b1a4056440867e7b7fd7374ab9d08e0156121ef7e1f7c57ae97a58b5c357cdd69ebd18df80ca4078fb595cddebda245b317213b140cac5069ab7058

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Patterns\fr

MD5 4469ed2cadd8bd68c98b1edbe7048f0e
SHA1 0acea62b36f40ba1cee16f8fdf13611b9a842f2c
SHA256 96ae3706b28222f26842120851dd3a1cd6afda616a5b4a5ab5f847c9e3a19e41
SHA512 048c3612a48d98ebe765856255795334cefc1cdd1375d91ebe6e9b42041ccac8f434d75e7e2e0a0d00be90d3d08fa5f571faa10e1b79cfb8c55b75d5723c87a5

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Patterns\en

MD5 cf18449c03c2751168b7e9355f466290
SHA1 a4ad3e074b392ea50509d40e833029aeb65f0616
SHA256 cec9e6e52d2b247ddc1f01978b918ef7fc1eedbf7c9a6c58e1480695b1b1b51e
SHA512 c8d2a6387521f227cf223300da3df9726e0722bd0046c8208b53bea3135eb859ff629e911c8c1a4c33d6880bc2f7ddbd87abec2a37a7393a20dccb60722bba26

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Patterns\es

MD5 cd6834229053e2f4247514bb4a95f285
SHA1 0a5cd0021fc5f0a733e588fab5abc540319df67c
SHA256 a065ac42835c89a13924e1b1209edd20e35dd1b087d6511d5ca61c826207c263
SHA512 2f7353f8a5b74ed4d643e6882134be2caddd1b682d07f580b042f57df2e8ee5473a6fff95879212f6f2def8b1d9bc1e3a6e1a54588213688b6c632b1e13de562

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\fonts\fonts.conf

MD5 4291285924e90d1a1fcf1ddfc51adad3
SHA1 74f2d9b2f9665a1ff083701456a0fbfe351f855a
SHA256 68011bc3741ebcea48f08ff2aed8519762a946f3e0fb9c224b1d3810ebf5bf4b
SHA512 80b570051324f0987f388b78f2b2b2a50df2ece82eb6c003ed4ab5fc1456789fdb4a616c3be760580d30f48aef656eb3604cbd0a7808c49f03b347f2d4388cee

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Mapsources\Tableau.tms

MD5 5de9d985e518303c37266bce8181744b
SHA1 17c315c642d35a24a9f04e512d755dd634564299
SHA256 1e1e0ea80b4d1a9982375e20164cc78fbd5c8682ba826ee353018241a430971a
SHA512 537632f16bce11f3dc7ce0833d55a0d76e90ccc456a199cc068f70494a744985a242028176c5e39266fe99a085cebcba9172e4538ec0fd72acec1d3d3d0ed116

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\share\themes\Raleigh\gtk-2.0\gtkrc

MD5 5fc9003ddc2c64b110b1161259f61923
SHA1 4ecddbcceddbd90a3a654d3788ec3aef8c197a8a
SHA256 6d9beaf039092aec5c1fbc23a62402bcd0704c45c430189a6ac69ae8aa797a67
SHA512 5c90f3f1037fff9f10aa2030bed2c670edd528482532e617549db2133e26cf801bdec56d4543feb024cdec1c0026909ca9a21b378ec3b89489c18c395660c9fc

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\share\themes\MS-Windows\gtk-2.0\gtkrc

MD5 94d104680cec5f3d8bbec56258d0c926
SHA1 72ede372fcb34b29754f20ad44f49bc8605cf22c
SHA256 e9dd3015f76e05f185ebe7564d364aef8b8168b05e62421c99875e14e4597977
SHA512 cf7d04304fa58e2dd9a8492b31b065c03c1f7ea96ab71d7d3d212eb17436c7c181470c23296fa3f599f1ef56c6b243921ed7f0a92ad3e0a6cd40a5fe857955a9

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\share\themes\Emacs\gtk-2.0-key\gtkrc

MD5 4b600a3c3c2ac37f7d0c13c4d86ac752
SHA1 d1da549c070d74aa9f9456c4c1e0ccbdde5256c8
SHA256 4214bee389645edcc7c9971ba35dc4d96e8c135ebc92c51c05b0c7dd36abd8e5
SHA512 d4ece8e39a80073bec016b375a75bb5ff5c697aff560e5d4aafc6031f26451f8d3ef32faf1a0b2be3470450eb2ea3ae8978cc444ee0e2d2ef374ef43340e64ba

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\share\locale\locale.alias

MD5 c26bd884605e7cb04a295fbf331e11a3
SHA1 7330ab3dc0410db503eba19976f027cf49eaeafe
SHA256 67cd91edbb01ea1eeb59f25c0a8cb6dfe90653fb5fc437d3d32cd0814804075a
SHA512 f88bbd4ce7ef42b710071efc5b3aa99f18b5da1e18b3e0d5b051acf125809a9eb94bcac9d91639660246a2406c30e93449d1ff81eace9caf18c6cd5e52ad85dd

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\res\public\en_GB\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\pixmaps\black.png

MD5 a875753fd4e92edad63f5d8b9a79426b
SHA1 241b7f8bc325993b8044498ec4a6c03d576c6b48
SHA256 d09f2e254540dc26a948cf49ac09de2ffea210ad9d8fb77ab7a943ce938b5570
SHA512 b04ee55b20c42a36e6125ef883161eaae11a990a99042b7fefccf0433455e35c621b8f10587a6292adc0f71ccf9a896c0264c8607614196d311de86b28c338dc

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\Patterns\de

MD5 c2460e421fc43708ce0a7481c3883791
SHA1 77acfb887fbc54e53b813fff984315bbc7612cdf
SHA256 cba878ea988c7e9da8115aeec3ab29a797bbb77fd232d5af047601e3bcc50fb1
SHA512 8fbea784de3dfde1fa71b271579af0308a6d1b9d5b5ba14fc98c636fa72388ca35d3fa398457c8bcafb522bf58cfde0f7257a8b01cc08ca0b836c1159ee7ddb5

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\pango\pango.modules

MD5 7a7327019610dfb25d5fafb2d2b0f3ab
SHA1 812af1f65174c63c4a90dd72d29d6e1180075a6e
SHA256 cab115828e04766fbf8e20b5ca6e5632e089f407b338832081d8b42f62fea38a
SHA512 9d7d7fd408d0e0cbe8df24cf1184aa9c24f41dc94d98e7262d04e617b7252381e6845b9e2724557246af8696a5e0cb99f1d15b3889aebd7887fac99e68b79849

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\locale\fr\LC_MESSAGES\default.mo

MD5 695cc9cb3de36c03c6b1cf813c9b647b
SHA1 9a0c7c9ae9ba841d33550dd793cfe01dada667bd
SHA256 a0b7ec6f0491756e53dfc23e7e17d37b87bcf3ec7288b4b40d8c5f4328bc9d10
SHA512 75dd9dd5f000c7acbc1d078604c7293af5cfc021a470861809dbc6b5e796c19732abcadf1eb6f74ac3e9e39c4e3c87927987f9db5029b3bea7f2b156b542ec15

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\locale\es\LC_MESSAGES\default.mo

MD5 943e56b4a41280e72db9c212e7469e1c
SHA1 9a0d7a277a923c6f6b8b8909310965f03d2143d5
SHA256 eed96f63a25ea4ff4b91e801d9bfd94c3249d975320e0fac5ef8b5e45a58985e
SHA512 e3fe207cf0f05dccb893124cfce136e7ec7ff81e6d20ee8bb2326f81a8f1cbef8031087f4addeb5bda96e7176c5d3b997c5357d5071867a7c5cd2223f63f81b9

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator 3.0.6.1\install\40388DB\locale\de\LC_MESSAGES\default.mo

MD5 c41f0999d7326fbd354bbb86b0c1a8af
SHA1 590e72b3fc64f09ab4e4ea2e42285c09ad933b64
SHA256 eff1bb0c9e6c16989b09346f526c90d80e1a748a779856953ea3e69f92b68fea
SHA512 e7aa424b77f27e526922c5658555b56cf42f2b20b7b14a9c86ad136b521ac0195dcad04ee7a302d034153bea94f3e36695f6100ebebffda216a2f3692646d8cb

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\3delite\GFX Creator\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Config.Msi\e578705.rbs

MD5 7dace2127e6ced58c9104ba3335eed3d
SHA1 310d889829da7fc700674958558b9ac7a05d5374
SHA256 80e66680ef46024ff77106b84fc7ea1a2bab0298a78b8e83718fe34a62e58930
SHA512 fe2b53b57d75611d875b881b30f5a36647da75ccb0592d85599ddb8bc501bcdf55b37ac6300eea6007cf043fe1088f4cbc617726c0bd9b49fd2ff7760c1fc0e7

memory/3908-339-0x00000000000F0000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XSovXAiv\_Files\_Screen_Desktop.jpeg

MD5 fbbde349b7ac8558d1bde6d2fa81ab23
SHA1 3b7f854b16ab49cd80894ee70838064b47050e00
SHA256 87b46f7df8fcf6fd18eae52d63460ce2e790a758dae7799b147350cab5b8846f
SHA512 9c57cb9ee9f853ad4b94c1ef7716c0efa260d286a67b2ce93a51702d000690005e17c46c6b41e001e4ce962bff6939e290f345aeb54359290721d245162a1910

C:\Users\Admin\AppData\Local\Temp\XSovXAiv\_Files\_Information.txt

MD5 38a3261fc5bc282ab3981b6183ec5320
SHA1 092f0ee157287458e3f816f4e29fd837ea2c1e8d
SHA256 e9d06787d23bc150cfe6c2b4176140207c47363919d87b770cb2b38edf432a83
SHA512 994250ee77c7142f9cfd2d32a9396043933f436a7353ab6dacc83b3fae41485255d0b6512bd2442391e8d2efa98693590ef18a4593f53d7736eda80b50df6c99

C:\Users\Admin\AppData\Local\Temp\XSovXAiv\_Files\_Information.txt

MD5 4f87c8cad40ec6b9a4bb468f523d695f
SHA1 1357c9020121daf7982d171dece03a368260b56c
SHA256 a3b75ab237458862c189025a920a7f2bc424749bce5606278d52bfedbfe4d81c
SHA512 7c5765e5f58feda03dbcd6d5c30ce678c53005a258e04e7b293182c66cccfaffffae86076f51965c0c1764db43212243c4aaabf87de2d91d0ff15d5fdc478d96

C:\Users\Admin\AppData\Local\Temp\XSovXAiv\PgShCOwvoFDD.zip

MD5 33561754c85faff1d41635d62b417765
SHA1 099bb846042a48c0a0e335fe4000f5e960a55cc8
SHA256 664aebc62910ef21dc2020c54267e988ae3fb23874aa358b36b592dcf6688b10
SHA512 21e6d2275e22362144b461922b4781b11083a17f4a4ed177e9b12a7e0bc41077f52c0e68c95b7cd44772474cca0079b10af54c91e8bdedd9ae9d19e73f3213b7