ae1529d706975f16d76d5d03c39b70d1e87564c4649c4819663e231acc7b2ef3

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe
Size

6.1MB
MD5

482e8ca1912e3c640600cfd311be8c42
SHA1

8dda09f90d24a5357195040b6d78e1fb97eb3325
SHA256

ae1529d706975f16d76d5d03c39b70d1e87564c4649c4819663e231acc7b2ef3
SHA512

d05d5e8f775c957676db470c8129aabc8154acbac3f508544853246913159e9095a6ba3cd44ae26acf87062c4842f868c3685916e1c043d0d6172b769c92cd0f
SSDEEP

196608:Y+m6N7cOtRobnM5d/s1vZEL7ge57/TyMmNyRKJq:Y+OnHV/A7/mmRKU

Score

8^/10

persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "9.0.124.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	msiexec.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000194d1-97.dat	acprotect
behavioral1/files/0x0005000000019622-115.dat	acprotect
behavioral1/files/0x000500000001962c-119.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2492	ISBEW64.exe

Loads dropped DLL 13 IoCs

pid	Process
792	MsiExec.exe
792	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
792	MsiExec.exe
1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe
1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000194d1-97.dat	upx
behavioral1/memory/2680-99-0x0000000010000000-0x0000000010195000-memory.dmp	upx
behavioral1/files/0x0005000000019622-115.dat	upx
behavioral1/memory/2680-117-0x0000000002DB0000-0x0000000002E3C000-memory.dmp	upx
behavioral1/files/0x000500000001962c-119.dat	upx
behavioral1/memory/2680-121-0x00000000032A0000-0x0000000003330000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2628	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx	msiexec.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9f.exe	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9f.exe	MsiExec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI13A2.tmp	msiexec.exe
File created	C:\Windows\Installer\f771114.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15D9.tmp	msiexec.exe
File created	C:\Windows\Installer\f771116.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f771111.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI150D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f771114.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1964.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f771111.msi	msiexec.exe
File created	C:\Windows\Installer\{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}\ARPPRODUCTICON.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWOW64\\Macromed\\Flash"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil9f.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D8AAB85E4045854F93DDEB17BA22CEE\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D8AAB85E4045854F93DDEB17BA22CEE\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D8AAB85E4045854F93DDEB17BA22CEE\PackageCode = "44F7F73D31126FA41B67456A36B08768"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D8AAB85E4045854F93DDEB17BA22CEE\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\IFViewer\\293827056\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\ = "FlashBroker"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil9f.exe"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D8AAB85E4045854F93DDEB17BA22CEE\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D8AAB85E4045854F93DDEB17BA22CEE\ProductIcon = "C:\\Windows\\Installer\\{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D8AAB85E4045854F93DDEB17BA22CEE\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9f.ocx"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0D8AAB85E4045854F93DDEB17BA22CEE\FlashPlayer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D8AAB85E4045854F93DDEB17BA22CEE\ProductName = "Adobe Flash Player 9 ActiveX"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.9"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9f.ocx"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9f.ocx"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2628	msiexec.exe
2628	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3048	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeSecurityPrivilege	2628	msiexec.exe
Token: SeCreateTokenPrivilege	3048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3048	msiexec.exe
Token: SeLockMemoryPrivilege	3048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3048	msiexec.exe
Token: SeMachineAccountPrivilege	3048	msiexec.exe
Token: SeTcbPrivilege	3048	msiexec.exe
Token: SeSecurityPrivilege	3048	msiexec.exe
Token: SeTakeOwnershipPrivilege	3048	msiexec.exe
Token: SeLoadDriverPrivilege	3048	msiexec.exe
Token: SeSystemProfilePrivilege	3048	msiexec.exe
Token: SeSystemtimePrivilege	3048	msiexec.exe
Token: SeProfSingleProcessPrivilege	3048	msiexec.exe
Token: SeIncBasePriorityPrivilege	3048	msiexec.exe
Token: SeCreatePagefilePrivilege	3048	msiexec.exe
Token: SeCreatePermanentPrivilege	3048	msiexec.exe
Token: SeBackupPrivilege	3048	msiexec.exe
Token: SeRestorePrivilege	3048	msiexec.exe
Token: SeShutdownPrivilege	3048	msiexec.exe
Token: SeDebugPrivilege	3048	msiexec.exe
Token: SeAuditPrivilege	3048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3048	msiexec.exe
Token: SeChangeNotifyPrivilege	3048	msiexec.exe
Token: SeRemoteShutdownPrivilege	3048	msiexec.exe
Token: SeUndockPrivilege	3048	msiexec.exe
Token: SeSyncAgentPrivilege	3048	msiexec.exe
Token: SeEnableDelegationPrivilege	3048	msiexec.exe
Token: SeManageVolumePrivilege	3048	msiexec.exe
Token: SeImpersonatePrivilege	3048	msiexec.exe
Token: SeCreateGlobalPrivilege	3048	msiexec.exe
Token: SeBackupPrivilege	2524	vssvc.exe
Token: SeRestorePrivilege	2524	vssvc.exe
Token: SeAuditPrivilege	2524	vssvc.exe
Token: SeBackupPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	1668	DrvInst.exe
Token: SeRestorePrivilege	1668	DrvInst.exe
Token: SeRestorePrivilege	1668	DrvInst.exe
Token: SeRestorePrivilege	1668	DrvInst.exe
Token: SeRestorePrivilege	1668	DrvInst.exe
Token: SeRestorePrivilege	1668	DrvInst.exe
Token: SeRestorePrivilege	1668	DrvInst.exe
Token: SeLoadDriverPrivilege	1668	DrvInst.exe
Token: SeLoadDriverPrivilege	1668	DrvInst.exe
Token: SeLoadDriverPrivilege	1668	DrvInst.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3048	msiexec.exe
3048	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe
1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3048	1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe	30
PID 1488 wrote to memory of 3048	1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe	30
PID 1488 wrote to memory of 3048	1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe	30
PID 1488 wrote to memory of 3048	1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe	30
PID 1488 wrote to memory of 3048	1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe	30
PID 1488 wrote to memory of 3048	1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe	30
PID 1488 wrote to memory of 3048	1488	482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe	30
PID 2628 wrote to memory of 792	2628	msiexec.exe	35
PID 2628 wrote to memory of 792	2628	msiexec.exe	35
PID 2628 wrote to memory of 792	2628	msiexec.exe	35
PID 2628 wrote to memory of 792	2628	msiexec.exe	35
PID 2628 wrote to memory of 792	2628	msiexec.exe	35
PID 2628 wrote to memory of 792	2628	msiexec.exe	35
PID 2628 wrote to memory of 792	2628	msiexec.exe	35
PID 2628 wrote to memory of 2680	2628	msiexec.exe	36
PID 2628 wrote to memory of 2680	2628	msiexec.exe	36
PID 2628 wrote to memory of 2680	2628	msiexec.exe	36
PID 2628 wrote to memory of 2680	2628	msiexec.exe	36
PID 2628 wrote to memory of 2680	2628	msiexec.exe	36
PID 2628 wrote to memory of 2680	2628	msiexec.exe	36
PID 2628 wrote to memory of 2680	2628	msiexec.exe	36
PID 2680 wrote to memory of 2492	2680	MsiExec.exe	37
PID 2680 wrote to memory of 2492	2680	MsiExec.exe	37
PID 2680 wrote to memory of 2492	2680	MsiExec.exe	37
PID 2680 wrote to memory of 2492	2680	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\482e8ca1912e3c640600cfd311be8c42_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\IFViewer\293827056\install_flash_player_active_x.msi" /passive
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15D05143272900187D3CF1A086632297
  2⤵
  - Loads dropped DLL
  PID:792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89A5C27417FCAD038870DCD953815285 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\{DE396A07-7052-4F61-8E85-15022E0947F8}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{DE396A07-7052-4F61-8E85-15022E0947F8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5E690B6-1258-4EED-BD9E-CE94C74101C0}
    3⤵
    - Executes dropped EXE
    PID:2492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000574"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771115.rbs

Filesize
9KB

MD5
081528e2d09e4e6207b056b053d7d5d3

SHA1
21df538734f6cefc0bf679c57bbe28ea321f6fc0

SHA256
a9e5263654fdf3ffaa1e0915ef1a10b06e04b155c581e37ff18db2f021c9a9e1

SHA512
fb6d70aa8412a17ac04b8295877ea1a815ae3094eb84cfbde739a4a30cae5262714579aeb01265791067fd2836a9863299fdec389c54d43ba4f24c130e1c0a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6f622.LOG

Filesize
2KB

MD5
7ac7597bdc6d339db298f699804ff48f

SHA1
bf5a88d450585e0af271597d693f3912bcd4ff51

SHA256
8d8557949996211be162b08b6ca9f1870d3324834102507bb62f1271f80c4e45

SHA512
45bcefc5a293ec0b44d53fecfce2261b8f2ef42c0a75f7c670b2aee8a23af628e8de7b0015d93846467309da37807319ab4a3266e16f5d48d206efa5b414a907

Download Submit
C:\Users\Admin\AppData\Local\Temp\~14B9.tmp

Filesize
401B

MD5
e681af4b30141cc7af06d43e51f772ce

SHA1
7a751fea2c7a1de80b9193b3c58586dcc83daf05

SHA256
adae7cf6e98950a1aa31e411a86722dd2892d7d9a554f1b295d322f15d9e6adb

SHA512
55193722248ccb941d1d2b78ee98e5bac82991f0380e281b97ccac5736c7bafa07a96096443e5208260965ce70510ffea5092a3b7b167568a73d9d73937417fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~14B9.tmp

Filesize
396B

MD5
84f32e3c663158c361741119c4868240

SHA1
cefe2f988697113300a2687925f73937c421b237

SHA256
36ec7dd065c2749acd2c5aa4d4f69e740a7828fbef5ddb1c2d4005fc858df655

SHA512
2cabe2dd188be8cee807b24c73e4f67f9567470b9f938b141d0209d63bc02252d51bc58e1f9524d0e04ffb365599cfd6acfbb04834a7fd062dfb21b989642226

Download Submit
C:\Users\Admin\AppData\Local\Temp\~14B9.tmp

Filesize
390B

MD5
d23b2ee6f763cd6029335b6bf0e9a9c1

SHA1
20f9794e2dde279cfa4fcb22234606812597225a

SHA256
09bbaef3dc139bd20c8d5e47031c7b005a1f41ecb91b7ee4195d6ad8664d975e

SHA512
f32eb5110521822f65242deca9f5c5906ab44e6368a880396499ea2ae899f7f5e901bc423bab116ce575bbcb9e3939ddcc0525ecc4dc93a31bc9c10e0a8fabd6

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\GW_e-catalog.swf

Filesize
182KB

MD5
9789b5c072808ce698653e53b811efb3

SHA1
88a25b0aa10c055f86ad9e8ac6bee18f768183be

SHA256
498a5eaa39fc7b1a4977e849e713168e413043e24fffdea97bc7d2a7042b8c06

SHA512
05c3cb4aa7adca914bd167ec01dbebc0b3ad67ea79a91c4e758d30c25e7ce90d00b8df40b6922bbd7786fa9dce5fc3eeafcae4cab5592e0f49da0ae4575cc3de

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page1.jpg

Filesize
161KB

MD5
514c2f08931377481f4ccbc888d781e1

SHA1
48221f59c6e1b0a5ca0a3dd85df63c6822e613ed

SHA256
c0be06375d76ddacdaab1baf67dc5a1a2391ac3028e32f6f736a375aea2ff5ab

SHA512
e5f3ee3719a05dc3cf1eb9edeebaf68b44dbf14835bc59b653f15c40934fedd9e38ec04a579dc1166f3a72e33cd00c26d574f096c15e7ffef74be972823de790

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page10.jpg

Filesize
149KB

MD5
2230ff33d466ea381e856e95811e2a30

SHA1
f8babed357fd4e78241ef925486aae50e4fee201

SHA256
a0ebe5fca1b7ae3363b76831ee3d9eb1022456b0b10046b0f6cdc5bb75224114

SHA512
bf9b880021cd1211479c91ac05b946ab717c92c84be05fdc94dd5336e87107d104be0a689e34313eb58c2c3843191e9bbafa26608d8610981b7fd05a3f163142

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page11.jpg

Filesize
104KB

MD5
712a4319f6f35cac430a1ad67f4570d2

SHA1
27089f1fde1d777d4fba39f1f8f8b311ff196ad6

SHA256
09f034d3ffcf2860ec2101285c6f728cd6af47bb8441dc80f1116c9128161cb6

SHA512
4010cde5063af822409f9ef4c1cc0cad38d087093f074cb625daa7ce806450de4a982b41cb63bcfbfa0d525dfa27ad68886407263736794c17dda6246c2df671

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page12.jpg

Filesize
123KB

MD5
acf7e0910200712f8718693f1e335b99

SHA1
aa0143e409cc87687e47519733d8ed7154c48d8f

SHA256
97b9ea7d2b6797f9b3057bbbf577d9b28868f355860fbbdaff76fdce8f638530

SHA512
532e4144b13760c5b7a513456997a634d66947d619c84734c7eab383c9bc6203fb427b96dd1325ac8ccbb2b2cb62649738f873f79c9341da2394922ba29bc474

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page2.jpg

Filesize
140KB

MD5
e43e51b86a17a2f247b9764c16571c1b

SHA1
8213b9a5749248b8f22364d9bf48ae78361a2000

SHA256
3b441fa8595a898a25b4f2c9aab9d67bba7a8bfc7d328b25a9dfcc1452ece1c2

SHA512
7dc73ada5d512b9ed4c24fc7e559e462dc2de65b2ac875c7186b21f678b355082e70a744c87f876f12e6a1ae81c48a84c5f647a61f67312b58159c6e871ce7ef

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page3.jpg

Filesize
199KB

MD5
233dcedc57c5e0e4dcdaddd583979c16

SHA1
48e7a43abf8af98c982bb4a1245ee4826c903fb3

SHA256
68615929ebc97f6803d60c60916ae73df39408c21472f4c38c04e97e95f8f9bc

SHA512
844641bf66771375f6edec2a8ff0a489c4861f3873c121055faa14086a477365fbf76e8ab5831d9876a01bb11fdb2977795178736f0d2e78fc87632ddea9c1ce

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page4.jpg

Filesize
152KB

MD5
b7d6e5c03387868e41c21b0b61f9fb58

SHA1
853feccdbb97bb0c9f80aead93e6f447e6bf6b93

SHA256
4c294c7cd205039b4e561873a375fd97794a5ce41c7c1ad98daa8d62e2c65a91

SHA512
b26b20c0d33e33d7c6724a3b983f61d5b6d2ead90f490f1b34a36c6da964a093fa676a34315ea2d429534dc96110d5592d33ad3132150f28d33903b50fde0644

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page5.jpg

Filesize
126KB

MD5
b676228ee4ec65ff1f91aa27866d16c1

SHA1
185268dd329137a928daf4edc1b39d0ce0d886c1

SHA256
932f92c9fe13f010e8b0a57d35b3e7e2d959fc163c935f253c4ae69607a41ce4

SHA512
b7f68f656d4511e1d977702bef987e01896cf3f6922c3690e35cbe376f7d8bac9e0558e809c2ffccbfd0fc0cc5db5522219e2b46ff296e64b71ef7bea09d8c83

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page6.jpg

Filesize
134KB

MD5
926746112ad393e5cddba97ef148059c

SHA1
e5fb5a92780ea04633e399617ec30f53e6201e96

SHA256
e25535700f081eb5fecc08f021628e77ae806f4ca590fba7e5e5dbc20d5ef9a6

SHA512
cf94b4fc727efdb58c82b37bf900ab31561a2a64180c16432f9af02b6818cca868f99881cf5178859a680fa7acc623921f419b2debd1bccd012b3a261487c8b8

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page7.jpg

Filesize
132KB

MD5
0d424c5a52b178152deef7cfc15cd53e

SHA1
c818d460bbe90fbe7459f1b42b28dd834cfef3c0

SHA256
b3596aef46efc824a83978460c4b1faccfe81c39ba3b4e4e60cd2630c60ed874

SHA512
63f6b10a3a591b335da62c29f628023930966adf7661f5bb9a0157955fad33d9d0ce90792ceb897724daafcee26c5afeae438225d76446d79c41eb8f03a60e3b

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page8.jpg

Filesize
117KB

MD5
bf70bd6674d85574efcbcb7560759e17

SHA1
b725a3504b9ce1fb34d9e657c40cd1fad3b221fc

SHA256
a80d87548c4871684021daab1874cccd507a0d8fe165bf5e40054b9ca264675d

SHA512
c815176811490645a1e047f71345de23ed42228a39fa4b6ed4cb945438a3435ecdf07dc7b5fcf403fa277267844b5ec451fb64c9a9aa1b497ebe443c391dbab8

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\page9.jpg

Filesize
182KB

MD5
ff081141b98653c7a300af5f13963e7f

SHA1
21ed10ed4221597b633d2dcb74ca3b2c843654bf

SHA256
05de473f391dbc1db6eeafae673300e99f339ff5609b78fe55aa934be601e492

SHA512
7e2df537976057e9e68078d558b732f9b13afeb8d8c5bfd6cec1e18a0ce80527c0aef30c8a5edf5dc31f1719e30706eb6d1cc8a9093daa3425d14a9d28b7fc16

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\pages.xml

Filesize
694B

MD5
d4df254660f893919d1adf03ce500141

SHA1
1d926801bb6361630e4c7f3780be93b9bd4e60f1

SHA256
deeaa83b114c97ec1ecf1e124b621fb117db6202dc765c3cb1f14df5f42e1224

SHA512
01355882e85101586f1a8a200e6fd745fc2815ac8d4074c198830db28b806d20a914d25fc43b729bf14a2ab26ec04870726c04dd97f601517c00743c45b30b22

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\tempW.png

Filesize
2KB

MD5
b896f4037970e0957e4dc8f4168fa299

SHA1
d3989bde92290aaa52aa4fd8419fd23c6a666f5e

SHA256
d64f44450ede0329c73c76fccb4d7d50cc8c11fedd397618ec46c6e2344a2c3b

SHA512
55d6840de30af00f65d3f1596f36e577aa7cefc0ec0a5101d6cb79ec0dc6c8837ac9596a6db6dad181719c9e371c321af2be07a218d0979ccf88f4d5b16cb453

Download Submit
C:\Users\Admin\AppData\Roaming\IFViewer\293827056\install_flash_player_active_x.msi

Filesize
4.3MB

MD5
c5f1b59b7b9ea497f3745f43f08c3189

SHA1
04ac79c4f1eb1e1ca689f27fa71f12bb5cd11cc2

SHA256
90772c2311ba9c7420875d48064c458f4f68a6d82d9ab31aa711be449d5ad2aa

SHA512
5325fce6a5e57200b9e7914b6341420382063183832dfbd369aab7e60beceb312a4fa5cc165ada185f79131658e7a53df1cafcb5fc5e30eaec43ddaec5748388

Download Submit
C:\Windows\Installer\MSI13A2.tmp

Filesize
84KB

MD5
abb81f7897bb48a036686ccf840287ae

SHA1
d6d648782584340bfa56c8e6d34fd70707af5d36

SHA256
9dc871199cc9e96067a32401d225af50683ac14efaf35edc61aa45f346374494

SHA512
4769d555b95ad593eae41e1cb91a9c7539b1c115b9b19a4954dec791f4d662388b459e3b7ad2964d5e0db4270406816582986d5a184bf55fd6c067906c2e0b25

Download Submit
C:\Windows\Installer\MSI14BD.tmp

Filesize
108KB

MD5
3e87796bb483793fc8abc7cf8a77402d

SHA1
a055374870adeea97105ddc9e330bdae38f41d61

SHA256
f90aebf1d4d4a29658d33f71c874dbfcb0821001ffee48433a44498b4b8eb2a5

SHA512
97d41428a4c45602595cdb7cdb5ce495d2834438290d9d872a18fbd6ffa0ceda7eb6da070350913177101ae86837997fff8ce8602afb33e5d644b04018aa4eeb

Download Submit
C:\Windows\Installer\MSI15D9.tmp

Filesize
1.9MB

MD5
587670886591e9820893b51e07c830c7

SHA1
160278262ea58d92c9905e5840c12878fd8a93af

SHA256
c1bfc4385924da37fac1200f9c97f0c6d40cd7d8344b12d63275bf11a7e21518

SHA512
632d1cb3727fbbb0766a7c4a1dbad3d44dd5fb38c0c7818beeccd84878d0b0d5bdc25352c6ee40c16585e64602eee051f6667f608c08c5d3097f5afe0969842e

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx

Filesize
2.9MB

MD5
48fdf435b8595604e54125b321924510

SHA1
e13d25bdac576e95e9134c3f95f0f8cbe94d6185

SHA256
7fcd80f7f56a841a4c5ef950afac8991da71ba9eae82f20db2954c7b4b72efd9

SHA512
86a59d83cc3d39b752b7a9c98e79b3f8fbcca66087926f026aabf5453bde83321928b77947e2aa5f625a53dafc89c0bf224daa7ce004b1851345abe93c6e83f3

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9f.exe

Filesize
213KB

MD5
5abe08eeb790d2322565dbd11bf70a19

SHA1
c8c1447dcee8d47087a8f938560fe81ae9613b59

SHA256
14ea495e00e05c476f2af9965c6137bc744518f7241e6ac922a0da295b9c8c51

SHA512
0aec04ead0e26af98d495372423e607f252a345d9406398b9f2a960df525a6839e50a0b2751c57530e19b852c2fc5cb03585429e9ba8c1b15fad7bdb8944e4ea

Download Submit
\Users\Admin\AppData\Local\Temp\{DE396A07-7052-4F61-8E85-15022E0947F8}\ISBEW64.exe

Filesize
112KB

MD5
4acfe43491a4e0b66200470194eee4cd

SHA1
788a43ac5f54f0bdbff09ed816634ccdede6ef6a

SHA256
92986a3b474accd0850377be9c4cbc764acf2f90525a9eee18d93ad3ef6cba9e

SHA512
9df5c9a93f5e6a493c648b42e4ffdd7149d7293e8b0a7bc3302eeae7837a60297fe309c1ca288dc8b5ca3a14be683dd585a61ca05d0e0543d094a0a0e1189982

Download Submit
\Users\Admin\AppData\Local\Temp\{DE396A07-7052-4F61-8E85-15022E0947F8}\ISRT.dll

Filesize
198KB

MD5
244f7566604c6ae24efc9b07fd29674b

SHA1
9fd86b2213e7dbfaf3eab6189c1f7bdfd7a72e0d

SHA256
6aedf40e66f8d356ccfe25b85499c2f49d4aef271e89cad56b95e9846a9e19c4

SHA512
96a667cd7bd30a7109b3c0542b3531f03ae33ab11509c9cdf06912bc8bd09cd123b49356fcf24a5f96a1e657959a32ae3939b635b7393a6456813f21a3c2043d

Download Submit
\Users\Admin\AppData\Local\Temp\{DE396A07-7052-4F61-8E85-15022E0947F8}\_isres.dll

Filesize
120KB

MD5
e54601d8a464a455de081d63d4b7927d

SHA1
0ff6da399c123394cca3b4cc64a41d8037787b73

SHA256
1e154a29673d129414ab56b995d04afcfa1a02af47dabaa28cd11c25f7d6026a

SHA512
5a213430fb8dc6a19c24122f8d9cd03479ee7ae421eac77d1026f16bf520a1f113d43380e2a60d5f0133e09aa7ad323a7ef9d1cccc3eea1e905f09701b118e05

Download Submit
\Users\Admin\AppData\Roaming\IFViewer\293827056\Workspace\FSCommandDLL\FSDesktop.dll

Filesize
570KB

MD5
32efd5fa1e43305776b0a015561fbd1b

SHA1
ea91d324a50fe2102574ef55e86a757374c7361f

SHA256
3a07e813f66743629115b4f959ebd7a30a83abda2c7677a94167fbf73d9b776a

SHA512
0dd083246ff088e773260dfd0cbe02b41b98a62c9dd3c219753f8b708d4db87e486c234e4391024c5c6fd566995a52f31c007e3a70dece308a0546c930e9b34c

Download Submit
memory/1488-190-0x0000000010000000-0x00000000100CB000-memory.dmp

Filesize
812KB

Download
memory/2680-148-0x00000000042A0000-0x00000000046E9000-memory.dmp

Filesize
4.3MB

Download
memory/2680-121-0x00000000032A0000-0x0000000003330000-memory.dmp

Filesize
576KB

Download
memory/2680-117-0x0000000002DB0000-0x0000000002E3C000-memory.dmp

Filesize
560KB

Download
memory/2680-99-0x0000000010000000-0x0000000010195000-memory.dmp

Filesize
1.6MB

Download