pony | b6ab04611ef5f5262ca25b70fc534b881f96edc1f3fd8970e78dfa19e1fc85ab

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31/08/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
Size

2.8MB
MD5

cc8b5a30376e83f870559336525cb8bc
SHA1

0bc8ef628007f6c5c2dcfdb69d11fc1e30a127a7
SHA256

b6ab04611ef5f5262ca25b70fc534b881f96edc1f3fd8970e78dfa19e1fc85ab
SHA512

c7f07468ef3555e3ff92459f9f88f19ea137a0ca7a245c1b39db7991e5d8b716e81fdb554ca3d7df66d0e0eec148d6ddf9048e233fa973e5df943c71fa7c5529
SSDEEP

49152:LtfsQ9EC3S+pGz/Jb3H33Z9A63GrzGeLMRStvTM1:1sQVpGz/533386Wr6eLHtw1

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Protection 2011v121.exe

Executes dropped EXE 7 IoCs

pid	Process
2556	dwme.exe
2436	dwme.exe
2700	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
884	dwme.exe
2584	dwme.exe
2812	4431.tmp

Loads dropped DLL 14 IoCs

pid	Process
2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2556	dwme.exe
2556	dwme.exe
2556	dwme.exe
2556	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-10-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral1/memory/2372-35-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral1/memory/2372-42-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/2700-53-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral1/memory/2436-66-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2556-89-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2616-94-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral1/memory/2556-145-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/884-147-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2616-152-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral1/memory/2556-226-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2584-230-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2616-247-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral1/memory/2556-312-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2616-325-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral1/memory/2556-399-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SxP0ucS1iDoGaHs8234A = "C:\\Windows\\system32\\AV Protection 2011v121.exe"	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cS1ivD3on4m5W7E = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wA0uvS2ib3n5Q6W8234A = "C:\\Users\\Admin\\AppData\\Roaming\\p1uvS2obFpGaJdK\\AV Protection 2011v121.exe"	AV Protection 2011v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ECB.exe = "C:\\Program Files (x86)\\LP\\399A\\ECB.exe"	dwme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	AV Protection 2011v121.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\399A\ECB.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\399A\ECB.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\399A\4431.tmp	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4431.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133695713151070000"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012c100000000000002000000e80708004100720067006a0062006500780020002000320020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000090e439c586fbda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80708004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000504fa6c486fbda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\Registry\User\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133649173504722000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000035696969690000007000000080000000800000008000000080000000800000008000000080000000800000004b0000000000000000000000000000000000000058b0b0b0b0000000adffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000000000000000000000000000000000000a5ffffffff000000c0000000800000008000000080ffffffffffffffff00000080000000800000008000000080000000800000004b0000000000000000000000c0ffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000800000000000000000000000c0ffffffff000000a60000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000c0ffffffff000000a60000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000c0ffffffff030303a80303034f0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000e07f7f7fff030303d6101010580f0f0f580a0a0a54030303500000004d0000004d0000004d0000004d0000004dffffffff000000800000004b00000080000000c07f7f7fff0e0e0eb00e0e0eb0141414901c1c1c611c1c1c611717175d0c0c0c550202024e0000004d0000004dffffffff0000008000000080ffffffffffffffffffffffffffffffffffffffff141414b428282869282828692828286928282869262626681818185e08080853ffffffff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e783e3e3e783e3e3e783e3e3e783e3e3e783e3e3e783e3e3e78ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0030000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2556	dwme.exe
2556	dwme.exe
2556	dwme.exe
2556	dwme.exe
2556	dwme.exe
2556	dwme.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	AV Protection 2011v121.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeSecurityPrivilege	2684	msiexec.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe
Token: SeShutdownPrivilege	2040	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2040	explorer.exe
2616	AV Protection 2011v121.exe
2040	explorer.exe
2616	AV Protection 2011v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
2700	AV Protection 2011v121.exe
2700	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe
2616	AV Protection 2011v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2556	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2556	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2556	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2556	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2436	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2436	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2436	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2436	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2700	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2700	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2700	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2700	2372	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2616	2700	AV Protection 2011v121.exe	33
PID 2700 wrote to memory of 2616	2700	AV Protection 2011v121.exe	33
PID 2700 wrote to memory of 2616	2700	AV Protection 2011v121.exe	33
PID 2700 wrote to memory of 2616	2700	AV Protection 2011v121.exe	33
PID 2556 wrote to memory of 884	2556	dwme.exe	37
PID 2556 wrote to memory of 884	2556	dwme.exe	37
PID 2556 wrote to memory of 884	2556	dwme.exe	37
PID 2556 wrote to memory of 884	2556	dwme.exe	37
PID 2556 wrote to memory of 2584	2556	dwme.exe	40
PID 2556 wrote to memory of 2584	2556	dwme.exe	40
PID 2556 wrote to memory of 2584	2556	dwme.exe	40
PID 2556 wrote to memory of 2584	2556	dwme.exe	40
PID 2556 wrote to memory of 2812	2556	dwme.exe	41
PID 2556 wrote to memory of 2812	2556	dwme.exe	41
PID 2556 wrote to memory of 2812	2556	dwme.exe	41
PID 2556 wrote to memory of 2812	2556	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\A337B\95839.exe%C:\Users\Admin\AppData\Roaming\A337B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\7B6C9\lvvm.exe%C:\Program Files (x86)\7B6C9
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Program Files (x86)\LP\399A\4431.tmp
    "C:\Program Files (x86)\LP\399A\4431.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Windows\SysWOW64\AV Protection 2011v121.exe
  C:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Roaming\p1uvS2obFpGaJdK\AV Protection 2011v121.exe
    C:\Users\Admin\AppData\Roaming\p1uvS2obFpGaJdK\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A337B\B6C9.337

Filesize
300B

MD5
d93da216952c436899f3f41f308559aa

SHA1
6d8960dd8c417dc261ee0b8efab8a0428a91020d

SHA256
a651b6ced7ebf332eda2bc0b6b1524d56760b7719004c06ac9055c4eb334f395

SHA512
20a6f40663043f0912650804b0feadcf69860cfdc0fa0dd50ef6033636a7a11927111b3d8d237ebfb19d677ec304c8934f98a2b717a0cc4ffdd1cd257843e989

Download Submit
C:\Users\Admin\AppData\Roaming\A337B\B6C9.337

Filesize
696B

MD5
9e8f15e359d929b473d8669713b5abd3

SHA1
a35fd8f01e4636564b903ea6785b231277cb6023

SHA256
5a274a0410eed8c965661fa4520146998de4a874c59d7b239fb9aa9ebb407e5f

SHA512
6dd6d6ae0487f5cedf12b9ac2414fdb1f831e99b6702370c8f560029dc8fd5707cb0b2ee4d16b51abfa3e8861aa0a2f53c85b0541126f8b8a62129570028c6a8

Download Submit
C:\Users\Admin\AppData\Roaming\A337B\B6C9.337

Filesize
993B

MD5
3bbb3154d1b8eb2b0c3a0c63309d4e26

SHA1
680dfc36bf83180edbeaac1258f30b27ad2aee43

SHA256
5d5d777b6f97fae7c151020f15fc14623dd6cf6482dbe707913bef45a0361ab1

SHA512
54b0de43c683943224e4a9a47bcf34a6f825313a946e04c8fd241b589c4b98883446a061199f338d8a77c317f3c05fa045e288a6a3d0a674538099a160652c4a

Download Submit
C:\Users\Admin\AppData\Roaming\A337B\B6C9.337

Filesize
1KB

MD5
e7894f6cc5ae8fa7b7fc202d73cc0dc3

SHA1
4ae002448c2f5606b1cbfea75067c0c568f7b43f

SHA256
80abc34fe2db1ea30bd531d0619b795b4a59ae768172338de611bbc7e22e447f

SHA512
907517beb3ae2f40b537052231d695c79d341650aa52c48e0b91ad6bf5b66e6adda4581b1d247be5f6248cac90fef3781cd764b84de4a14a05fbbff58e802822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk

Filesize
1KB

MD5
8bb485895820bbdcb0478fd32ecda204

SHA1
3667c58bfd72ab3d922b89adef88a34127392fee

SHA256
b96922741a4e42a34e1061e532f7be797155cf3db502e2388c11e2bd8c6f5e65

SHA512
13ea07d6b0c235b7adadec1044d41d91c44377711bb005c5fe4d3988f9c6d3285f11cbef45ea16bfe923c5af60ba4f4c34c4ac227463ed6783b1b67f57496a97

Download Submit
C:\Users\Admin\AppData\Roaming\d3onF4amH\AV Protection 2011.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
21003a1c7b5ec931ea7de3af005e9b77

SHA1
f53799afd39f9af5d1772b1deb5566df525c7ba9

SHA256
a286f85d0e73d049274ea7eb6d6f7203050d69705a2fbe87268bb2d6d0709f88

SHA512
ee8dc5d3c00f8c6153117ae8e95c13164498264477cb98f831d1a1e5b72112b5de281ff4f26219d694ed5f0b442283b86250fd3efbb691d5fa4385c70b5a81bb

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
611B

MD5
93cf523ad1d5afc1897dfcfa6e506d01

SHA1
9a08a6f943ced1e65618a5193cfc1cb94cf2d5bb

SHA256
203b4a6252e0e95f30611d7703dbb34b657dfbd4de41ac113077b40d0e947ad7

SHA512
b3fa8f93c5fa11f33b5372fb4b7b0b82d40843e446714662e75d8ea1bfeaac6ded2dcd573172d03464142e61c5a5257abf800bb260c6f7cfcf3412111cb4bdfe

Download Submit
C:\Users\Admin\Desktop\AV Protection 2011.lnk

Filesize
1KB

MD5
e891acd7576d19f38368ae7e15355222

SHA1
bb758e5976d0754de239dc540704ade6bdd145be

SHA256
01f1699abc2654eff2e4843c9595a48ca8430da9ede6abef93013349ef4d4016

SHA512
1061e7cbe7783fd684ea8108ff10f625ecbfdaa6bf32da395efbae5bd1ff069c4fbed53b4cd3eef860ed6fd020194777549fc92d75c0ff0e836fcf205c983ebc

Download Submit
\Program Files (x86)\LP\399A\4431.tmp

Filesize
100KB

MD5
de4945aedb66456dc2f3ee1acfba3246

SHA1
1b0bc34168f1735ad4ac66155309102fb566ea63

SHA256
91f6bb5318ef3615012be80cfb8cc4ed8e81b31bf52215c15684d700fb8b8b5b

SHA512
ede90603a8645063d3180e6283f6c12b26d66a0238cc54187090d80e02455c5a0cc68d0a232ce785c55a1fd4a890292f077ceef35141658a0e32849f8576acd7

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
283KB

MD5
cc6f0b2fd70c63672de6c1249f0e9cbb

SHA1
72caa65da6f0a4ce78a0c22b5ad64540b87e2912

SHA256
3e4d6fd109879dc3f608f08e0e152b26b93dce0d08e10d4c2308aedf2fbc1177

SHA512
a8b2199357092780aa62db1959bc631cd8138e54fb62312fbc10738fa5543afa3e252e0fc3ec08399e7c80e2cfcfa795262b0060ad4386811219cac94b032db6

Download Submit
\Windows\SysWOW64\AV Protection 2011v121.exe

Filesize
2.8MB

MD5
cc8b5a30376e83f870559336525cb8bc

SHA1
0bc8ef628007f6c5c2dcfdb69d11fc1e30a127a7

SHA256
b6ab04611ef5f5262ca25b70fc534b881f96edc1f3fd8970e78dfa19e1fc85ab

SHA512
c7f07468ef3555e3ff92459f9f88f19ea137a0ca7a245c1b39db7991e5d8b716e81fdb554ca3d7df66d0e0eec148d6ddf9048e233fa973e5df943c71fa7c5529

Download Submit
memory/884-147-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2372-42-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2372-6-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2372-7-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2372-8-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2372-9-0x00000000030A0000-0x0000000003491000-memory.dmp

Filesize
3.9MB

Download
memory/2372-10-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2372-35-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2436-66-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2556-226-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2556-145-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2556-399-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2556-89-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2556-312-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2584-230-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2616-247-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2616-63-0x0000000003120000-0x0000000003511000-memory.dmp

Filesize
3.9MB

Download
memory/2616-94-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2616-325-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2616-152-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2700-44-0x00000000031C0000-0x00000000035B1000-memory.dmp

Filesize
3.9MB

Download
memory/2700-53-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2812-326-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download