pony | e989f0886cc1a989479cfe91d0f660223e486de22ee05749dc93ebb4a31f6acf

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f72ed816664b86d4db6555ca67c02a.exe
Size

1.9MB
MD5

e1f72ed816664b86d4db6555ca67c02a
SHA1

2076dfc63d22fc991c8b8216757d22a34ec19f0c
SHA256

e989f0886cc1a989479cfe91d0f660223e486de22ee05749dc93ebb4a31f6acf
SHA512

3cacb0a979be4b7b89d830dc47ce3a139da47dfe21543aef092678c9d1129ed3e99d60cd027768c5a2405a580bea9e39b120c4f3b79e2de06f1ae83abb1c8288
SSDEEP

49152:ydOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:IOjtMaWZUxUfT35X06si

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

dwme.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" dwme.exe
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Disables taskbar notifications via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

Cloud AV 2012v121.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Cloud AV 2012v121.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 7 IoCs

Processes:

dwme.exedwme.exeCloud AV 2012v121.exeCloud AV 2012v121.exedwme.exedwme.exeA41C.tmp

pid process

1624 dwme.exe
2976 dwme.exe
2596 Cloud AV 2012v121.exe
2632 Cloud AV 2012v121.exe
2148 dwme.exe
2756 dwme.exe
2316 A41C.tmp

pid	process
1624	dwme.exe
2976	dwme.exe
2596	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2148	dwme.exe
2756	dwme.exe
2316	A41C.tmp

Loads dropped DLL 14 IoCs

Processes:

e1f72ed816664b86d4db6555ca67c02a.exeCloud AV 2012v121.exeCloud AV 2012v121.exedwme.exe

pid	process
2868	e1f72ed816664b86d4db6555ca67c02a.exe
2868	e1f72ed816664b86d4db6555ca67c02a.exe
2868	e1f72ed816664b86d4db6555ca67c02a.exe
2868	e1f72ed816664b86d4db6555ca67c02a.exe
2868	e1f72ed816664b86d4db6555ca67c02a.exe
2868	e1f72ed816664b86d4db6555ca67c02a.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2868-1-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2868-27-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2596-29-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2596-30-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1624-34-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2596-43-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2976-46-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2632-131-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2148-133-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1624-141-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2632-211-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2756-213-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1624-223-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2632-303-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2148-306-0x0000000002260000-0x0000000002360000-memory.dmp	upx
behavioral1/memory/1624-312-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2632-321-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1624-396-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e1f72ed816664b86d4db6555ca67c02a.exeCloud AV 2012v121.exedwme.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GwjUCelIBzNx1v28234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	e1f72ed816664b86d4db6555ca67c02a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oekIBrzONx0v2b3 = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	e1f72ed816664b86d4db6555ca67c02a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XcA1uvD2oFpGsJd8234A = "C:\\Users\\Admin\\AppData\\Roaming\\ypmH5sQJ7E8R9Y\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\622.exe = "C:\\Program Files (x86)\\LP\\C98F\\622.exe"	dwme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

e1f72ed816664b86d4db6555ca67c02a.exeCloud AV 2012v121.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	e1f72ed816664b86d4db6555ca67c02a.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

Drops file in Program Files directory 3 IoCs

Processes:

dwme.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LP\C98F\A41C.tmp	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\C98F\622.exe	dwme.exe
File created	C:\Program Files (x86)\LP\C98F\622.exe	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133560275714648000"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080000200811b3401a5446508cc587203dd445a02c91d22019d0002004c0000000000000000000000000000000000000058b0b0b0b0000000adfffffffff2f7eeffb4cb80ffa9c553ffd1dd91ffc9d67fffc1cf73ffa0bb41ff354b02c004080010000000000000000000000000000000a5ffffffff000000c000060083244801c593aa31f7b2cb55ffa3c040ff95a719ffa0b633ffb6c960ffa4b35af8223301be0001004c0000000000000000000000c0ffffffff7f7f7fffb9cea7ff9da957ffc2cc6effa2b829ffc4ce83ffe9ecd1ffbec87cff8da926ffa5b95dff738139ff101101a30000000000000000000000c0ffffffff000000a62f4102c392a12afaaab415ff525903b10102004e0000004d0001004e414903aa919935ff717936ff232602cd0000000000000000000000c0ffffffff000000a6405001dbb4b21afeb6ae07ff282701760000004d0000004d0000004d1719016d89831aff61661dff2f2b02e10000000000000000000000c0ffffffff030303a86f6f02d4e8e651fef5f471ff968c44cc040400500000004d0000004d605225b2b3a062ff908359ff271f02cd0000000000000000000000e07f7f7fff030303d64f4a0aa3ddd955fafffed1fffffef0ffa19773d12f290e796a5a29b6ac9354f2d1c19cff918158ff120d01a30000004b00000080000000c07f7f7fff0e0e0eb025250cb89c9a06e5f6f4b7fefffff8fff9f7bfffd4c16fffd1bd85ffdbcaa8ffb09969f4b3a58aff0000008000000080ffffffffffffffffffffffffffffffffffffffff2f2f11c0b2a40bdce7dd85fbf5f1b4feece2c1fed9c79efbac8c55ef483108a5f7f6f3ff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc43423d7b837224b4a28817d8906c11df6f511ec4524531973e3e3e78ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80702004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000e01b9443fb63da0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000009016453dfb63da0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133529057564444000"	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Cloud AV 2012v121.exedwme.exeCloud AV 2012v121.exe

pid	process
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
2596	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
1624	dwme.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Cloud AV 2012v121.exe

pid process

2632 Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

msiexec.exeexplorer.exe

description	pid	process
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe
Token: SeShutdownPrivilege	2284	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

Cloud AV 2012v121.exeexplorer.exe

pid	process
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2632	Cloud AV 2012v121.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2632	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

Cloud AV 2012v121.exeexplorer.exe

pid	process
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2632	Cloud AV 2012v121.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2284	explorer.exe
2632	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e1f72ed816664b86d4db6555ca67c02a.exeCloud AV 2012v121.exeCloud AV 2012v121.exe

pid	process
2868	e1f72ed816664b86d4db6555ca67c02a.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe
2632	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e1f72ed816664b86d4db6555ca67c02a.exeCloud AV 2012v121.exedwme.exe

description	pid	process	target process
PID 2868 wrote to memory of 1624	2868	e1f72ed816664b86d4db6555ca67c02a.exe	dwme.exe
PID 2868 wrote to memory of 1624	2868	e1f72ed816664b86d4db6555ca67c02a.exe	dwme.exe
PID 2868 wrote to memory of 1624	2868	e1f72ed816664b86d4db6555ca67c02a.exe	dwme.exe
PID 2868 wrote to memory of 1624	2868	e1f72ed816664b86d4db6555ca67c02a.exe	dwme.exe
PID 2868 wrote to memory of 2976	2868	e1f72ed816664b86d4db6555ca67c02a.exe	dwme.exe
PID 2868 wrote to memory of 2976	2868	e1f72ed816664b86d4db6555ca67c02a.exe	dwme.exe
PID 2868 wrote to memory of 2976	2868	e1f72ed816664b86d4db6555ca67c02a.exe	dwme.exe
PID 2868 wrote to memory of 2976	2868	e1f72ed816664b86d4db6555ca67c02a.exe	dwme.exe
PID 2868 wrote to memory of 2596	2868	e1f72ed816664b86d4db6555ca67c02a.exe	Cloud AV 2012v121.exe
PID 2868 wrote to memory of 2596	2868	e1f72ed816664b86d4db6555ca67c02a.exe	Cloud AV 2012v121.exe
PID 2868 wrote to memory of 2596	2868	e1f72ed816664b86d4db6555ca67c02a.exe	Cloud AV 2012v121.exe
PID 2868 wrote to memory of 2596	2868	e1f72ed816664b86d4db6555ca67c02a.exe	Cloud AV 2012v121.exe
PID 2596 wrote to memory of 2632	2596	Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
PID 2596 wrote to memory of 2632	2596	Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
PID 2596 wrote to memory of 2632	2596	Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
PID 2596 wrote to memory of 2632	2596	Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
PID 1624 wrote to memory of 2148	1624	dwme.exe	dwme.exe
PID 1624 wrote to memory of 2148	1624	dwme.exe	dwme.exe
PID 1624 wrote to memory of 2148	1624	dwme.exe	dwme.exe
PID 1624 wrote to memory of 2148	1624	dwme.exe	dwme.exe
PID 1624 wrote to memory of 2756	1624	dwme.exe	dwme.exe
PID 1624 wrote to memory of 2756	1624	dwme.exe	dwme.exe
PID 1624 wrote to memory of 2756	1624	dwme.exe	dwme.exe
PID 1624 wrote to memory of 2756	1624	dwme.exe	dwme.exe
PID 1624 wrote to memory of 2316	1624	dwme.exe	A41C.tmp
PID 1624 wrote to memory of 2316	1624	dwme.exe	A41C.tmp
PID 1624 wrote to memory of 2316	1624	dwme.exe	A41C.tmp
PID 1624 wrote to memory of 2316	1624	dwme.exe	A41C.tmp

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dwme.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e1f72ed816664b86d4db6555ca67c02a.exe
"C:\Users\Admin\AppData\Local\Temp\e1f72ed816664b86d4db6555ca67c02a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\dwme.exe
"C:\Users\Admin\AppData\Local\Temp\dwme.exe"
2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624

C:\Users\Admin\AppData\Local\Temp\dwme.exe
C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\FB590\222C9.exe%C:\Users\Admin\AppData\Roaming\FB590
3⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\Temp\dwme.exe
C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\9056B\lvvm.exe%C:\Program Files (x86)\9056B
3⤵
- Executes dropped EXE
PID:2756

C:\Program Files (x86)\LP\C98F\A41C.tmp
"C:\Program Files (x86)\LP\C98F\A41C.tmp"
3⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\AppData\Roaming\dwme.exe
C:\Users\Admin\AppData\Roaming\dwme.exe auto
2⤵
- Executes dropped EXE
PID:2976

C:\Windows\SysWOW64\Cloud AV 2012v121.exe
C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\e1f72ed816664b86d4db6555ca67c02a.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Roaming\ypmH5sQJ7E8R9Y\Cloud AV 2012v121.exe
C:\Users\Admin\AppData\Roaming\ypmH5sQJ7E8R9Y\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EfEL8gTZqYwUrOt\Cloud AV 2012.ico
Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\AppData\Roaming\FB590\056B.B59
Filesize
300B

MD5
edd3b4f4c65fdb5a1d4b86f69f3d9fc9

SHA1
96309b14fc560ba4e7e5a95ca0974983c01fa1d6

SHA256
0e412325fdc2240bf57d5234714ba8a40654e3c93aafe6244bb360cc54d85b3a

SHA512
87914935439bcab01d8314acd78b669f4a7293b396ce8c6ac228839fa98e8896497f7b505a09c1047d14ef802febdba162f06b5915dc2b7ea750ba59e20f1b10

Download Submit
C:\Users\Admin\AppData\Roaming\FB590\056B.B59
Filesize
696B

MD5
dd568ab74556dcd021930f0c931df932

SHA1
95f3d4c3dc1b761b20f2a78e4bb6de652a3ea6bb

SHA256
c09331db668bc1a404db52d0460e4676f9540acc12690d799bfb2c4b98851ff5

SHA512
e6defffeab8b51472975525b8f5c39ba947aaac8d9290c8afabf7659cb4b7127f8087c1cc9f3c73e54809cabd216b85c45978534160a007e41c91800bcbd2318

Download Submit
C:\Users\Admin\AppData\Roaming\FB590\056B.B59
Filesize
1KB

MD5
61bc839e09b5dbd66f04a6ebc8c1bcd4

SHA1
6a0f4ec4e401814eb4a106ab9865936a131c9554

SHA256
e2271c5df504e06225e044a50ecd2ce159dc7a1384ba78417d8de4055fc27df9

SHA512
4b4be57c2970cb2db4aebd65dad3f92234ce7cf3552b43a547ca4b7f7c5d27db6a2730d996002fcb927105379b6f84e691bffa651cb5871bbb368b550f2f0185

Download Submit
C:\Users\Admin\AppData\Roaming\FB590\056B.B59
Filesize
1KB

MD5
7c13b81585bf9ed4b14af7ee35af6440

SHA1
4909f2480f8ea1dd13ce27765cb9e1bcc19c4e5f

SHA256
4f96a76bf9b8e3c811672e9b9596692c117b0b6d8e2587b6e9df6cd002f7c34f

SHA512
dcd4b485bf13dd80f23874ffd9eb038624aeaa9b49820b58bab580ee5e393761c9be843ed8b8a8ddd18e75c4955b12d2364f735c05d9c5297cde70e73b4d30db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk
Filesize
1KB

MD5
d43de7f58e06201e75d33dde6307b3fc

SHA1
3b4602ea474a0089e179137bd3c6a894cf473187

SHA256
6d3f01751addb0daa8500e1dafd7fcfd6986bf06ccf25c52b16cf513ae592315

SHA512
1515908267b838a1ee1a096c8a582341a08f3dcbb366a069fab46e71c19aa0ed3eb83f431e72ef5e0862140e02a92237bb8ee353a8242a947e02b7be84a5d581

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni
Filesize
610B

MD5
370a068d2efa00b574791da10ce0780d

SHA1
0fdb66464ff18e3a87c9bd8385eee6a6847e6c2d

SHA256
71e02a9f9d41e3ad3ac6f18009d4489c514a0359fce805d3783b3220271f88c9

SHA512
cc661822c538b16c2a11ceb03b4a36176184779d5f2bf11db8e4876b4bc16eb8d9d589042a024cac5c0c55647b765f3f3aad9dd8cbbd6589e40867c4eb9aaf0e

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni
Filesize
1KB

MD5
9d7546afbebd4dad7d29ac2eab1ea783

SHA1
4be047789ce59c62685d8196646765d13740422e

SHA256
27fc64ecb3edb479e0fa0524bd0b6e35f0dab99a3d809bf77e7e4e14e3f1a058

SHA512
34abc4d137b49df46b292bd725943c6b6b70aae144dfcbe5bb675833ab544649264f0373fa3fdf01e28b797335b96f715edd509ba853c6452f28541ea1e3bcd2

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk
Filesize
1KB

MD5
1cd8cb40d56e30ebe6aff9e52008a462

SHA1
a4aaea12dbd51f447979536cdb3ee2d5a7e4afd0

SHA256
d7569eb4a19f05370185ae9c81bf3a55c45982194a77bfce5a9f091c383fd3f0

SHA512
f0f978177bc239b3a2cc4fc3d95cc26a9c37b4732ec086ff0c668735b9e32ac2bd79eec9b821ed29739ceef88194d7216ca275203c984ba4de0bde82cfbbf718

Download Submit
C:\Windows\SysWOW64\Cloud AV 2012v121.exe
Filesize
1.7MB

MD5
ead0283f036d05156d40792e4fb76687

SHA1
754073d44cb4d5344b1dc823a247b609990db670

SHA256
0a86f7558f4449f4e78733646dd67b91b79db59e7010318b1462daa56805cea5

SHA512
98f8b5234fa79bb18e3b641721dc0c067b58199c45461fc1590f1e90c1a9d5ee8c3bc83d19b2f5d0c4e3df573f4900b4d90e9fa42a672b0c3ca8bbce4cd91f3d

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
55a8b50e6967e7957c909cd1c2c4dab9

SHA1
d70a94eaeec53d2b83e74fac59d34a65c18d993b

SHA256
fa072ed01b39e88b4b4f8563a26ca42d9e550008c028b22d27648ef0d234c24c

SHA512
8f9b51628855a52930a4130c03663558de529b5f7b3d906442a105e0bb9d951f9b6c0b104e8f96ca2b260dc2fecc537885ed82852d94a3d751e3a4de580cc172

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
da0b9818974830e6cc8c53d855024ef5

SHA1
143492d0d605c5cfb78fccc673f9833cd9021d28

SHA256
f9775809c47a90a797fe5acfb6ba1dab45e094d5f0f99f90b80a663033e5aefe

SHA512
fa38c2f28f3c1e13c20d0c3817613165fd56a424468b236b34f077f157431c2f0d6b5fe920873e170165612726c59107dcb41069449b564cd82acfbe8dab9922

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
ad82579e7c2ec841e0584f3a86959e8c

SHA1
6dd0a8f6390b2d254e8a16c469037e256f678dbf

SHA256
8edb4d9c2a56297971f4b0dd4d4680e022efb08002ab08cbb50d83ed1ec7fc47

SHA512
f83aba525ec1643309145335ed4d2e349e0227f56cfa6fc056861863873fb96911fa33a8262267cf2761d21faab46b699b0859cc51ab5a64cc1785ea441057df

Download Submit
\Program Files (x86)\LP\C98F\A41C.tmp
Filesize
99KB

MD5
ac9682380b3c94ffe32d0aca1a53d53e

SHA1
7c1485c7d2720d433306ff5c86fd944331bc4447

SHA256
cd0e4cd89551d243fd1365950d28470d56a09f29e834d13288f6ca1aff4c1626

SHA512
978eaa0bfd1c62d4e7eaac0470ed29dfcc683aef8b087fbd76caf1218d700010d1bb2ae1d155811665e52c842326bef1779d082161b72c8c25c8e6167ea12eb9

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe
Filesize
279KB

MD5
c97ff984c8643e9a8404592683cd7162

SHA1
9f0e2724d047c794b4457fb799cc6e96438a7292

SHA256
1c5529c199a8a1744246396812a2e90c847ca78a6a438592010fe1b0573fdf32

SHA512
f18481023fc45bc8618dd2aa481d806d1c799b5a635ed2ad64be0ed3f26470330973bfa04a56349f8cc473761bab1ea1780d07c7d77b5895b4aef0219e7a4bf6

Download Submit
\Users\Admin\AppData\Roaming\ypmH5sQJ7E8R9Y\Cloud AV 2012v121.exe
Filesize
1.2MB

MD5
5adf601fc3f5995180231f3bb790ea21

SHA1
fd48ed2d2dc62069ba529d1361d0bcdf8d32d8aa

SHA256
75d8374f924fa5746f24eca89e766ffc59b8c7ea134da4d8a7d81b1282083e89

SHA512
38665903e821155ac552ecfc501d37a952180404077230d78ba8784bc6fcb1b21d9f4ed8789f04b4a7eeb31060523e825ddf168f906eaea91b5f062d4bb6cf0c

Download Submit
\Users\Admin\AppData\Roaming\ypmH5sQJ7E8R9Y\Cloud AV 2012v121.exe
Filesize
1.9MB

MD5
306d25bb93d22f59e9785b71c0d926ba

SHA1
1fc7b255752cf66bf2aaa6c662bc063d7467e32b

SHA256
da2e9a346f7de7376ff5d28d9822484bd70f4f7d72d4e6f4bf2a93d00c3cf0f3

SHA512
19a078bea5f5f1356a544c908e03a092cd8aa8db30ecf098a1f97c8069385eae8132d2473fdbd88814a2f36dbfc8ad267b40746186b75b206fdb95b7ff5f8d13

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe
Filesize
1.9MB

MD5
e1f72ed816664b86d4db6555ca67c02a

SHA1
2076dfc63d22fc991c8b8216757d22a34ec19f0c

SHA256
e989f0886cc1a989479cfe91d0f660223e486de22ee05749dc93ebb4a31f6acf

SHA512
3cacb0a979be4b7b89d830dc47ce3a139da47dfe21543aef092678c9d1129ed3e99d60cd027768c5a2405a580bea9e39b120c4f3b79e2de06f1ae83abb1c8288

Download Submit
memory/1624-223-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1624-34-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1624-396-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1624-35-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/1624-142-0x0000000002300000-0x0000000002400000-memory.dmp

Filesize
1024KB

Download
memory/1624-312-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1624-141-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2148-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2148-134-0x0000000002260000-0x0000000002360000-memory.dmp

Filesize
1024KB

Download
memory/2148-306-0x0000000002260000-0x0000000002360000-memory.dmp

Filesize
1024KB

Download
memory/2284-327-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/2284-218-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/2316-309-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2316-318-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2316-308-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2596-43-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2596-30-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2596-29-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2596-28-0x0000000002EC0000-0x00000000032D5000-memory.dmp

Filesize
4.1MB

Download
memory/2632-214-0x0000000002F00000-0x0000000003315000-memory.dmp

Filesize
4.1MB

Download
memory/2632-131-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2632-48-0x0000000002F00000-0x0000000003315000-memory.dmp

Filesize
4.1MB

Download
memory/2632-321-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2632-303-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2632-49-0x0000000002F00000-0x0000000003315000-memory.dmp

Filesize
4.1MB

Download
memory/2632-211-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2756-213-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2756-215-0x0000000002350000-0x0000000002396000-memory.dmp

Filesize
280KB

Download
memory/2868-27-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2868-2-0x0000000002EB0000-0x00000000032C5000-memory.dmp

Filesize
4.1MB

Download
memory/2868-1-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2868-0-0x0000000002EB0000-0x00000000032C5000-memory.dmp

Filesize
4.1MB

Download
memory/2976-45-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2976-47-0x00000000023F0000-0x00000000024F0000-memory.dmp

Filesize
1024KB

Download
memory/2976-46-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download