pony | 504283d6b0d927c895624c91355166b675f685487f6d90985364c49d79d7af24

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
Size

2.8MB
MD5

df18a0564994b769d501cd7bf5911291
SHA1

c26015ba47f54524aca183b500ffafdb4773e709
SHA256

504283d6b0d927c895624c91355166b675f685487f6d90985364c49d79d7af24
SHA512

705b77279ff8c29430de1b3e174496ca9019e53f57b3afda1439cc2c930af8894d71a1b3ac6179bb708365a6e869c89d13b7581b583b8cb61bb5179453e28721
SSDEEP

49152:W52c0o7BhDIjyyMP0/KM9MBQuM8T98oh3MYAZCwxo/v+KFJZf9V43ciL8E:dvo9hDI2yMP02BQuM8+oFMY6CekHGcij

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Security 2012v121.exe

Executes dropped EXE 8 IoCs

pid	Process
1808	dwme.exe
2852	dwme.exe
2860	AV Security 2012v121.exe
1532	dwme.exe
2360	dwme.exe
2164	AV Security 2012v121.exe
2240	dwme.exe
1940	312E.tmp

Loads dropped DLL 16 IoCs

pid	Process
1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
1808	dwme.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
1808	dwme.exe
1808	dwme.exe
1808	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-7-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral1/memory/1808-18-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1292-34-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral1/memory/1292-39-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/2852-41-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1532-56-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2860-71-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral1/memory/2360-76-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1808-106-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2240-174-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2164-175-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral1/memory/1808-182-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2164-252-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral1/memory/1808-276-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2164-282-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral1/memory/2164-296-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral1/memory/2164-308-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral1/memory/1808-354-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TIVrlONtx0c1b3n = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bQJ6dWK8fLhXjC8234A = "C:\\Users\\Admin\\AppData\\Roaming\\YJ6dEK8fR9TwUeI\\AV Security 2012v121.exe"	AV Security 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9FB.exe = "C:\\Program Files (x86)\\LP\\4674\\9FB.exe"	dwme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UuvS2ibF3n5Q6W7 = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	AV Security 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aYCekIVrzNx0c2b8234A = "C:\\Windows\\system32\\AV Security 2012v121.exe"	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Security 2012v121.exe	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Security 2012v121.exe	AV Security 2012v121.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\4674\9FB.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\4674\312E.tmp	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\4674\9FB.exe	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Security 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Security 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080000000801d22019d495602c8929c05e8888d05db5c5b01b80605004f0001000100000000000000000000000000000058b0b0b0b0000000adfffffffff6f8f3ffbfc789ffa7b744ffc2cd63ffe6e977fff1f37dffe6eb65ffa3ad03e41f2c0035000000000000000000000000000000a5ffffffff000000c000000080232c01bc8d9b34f5b8c157ffafb832ffc8cc1dfff4f680fffeffe0fff7f9ddff94a501e4191a005f0000000000000000000000c0ffffffff7f7f7fffc4c9b5ff7e8546ffadb45fff96a427ffc5c97dffedebc1ffdbdca3fffffedffffdfebdffdae13dff424a01ba0000000000000000000000c0ffffffff000000a6252801bb697230f9868b1dff424503a80000004d0000004d03040050818a2dc9f0f44cffe4ec30ff6b8002e30000000000000000000000c0ffffffff000000a62e2e02d4686724fe7f7a09ff1715016a0000004d0000004d0000004d33350180cdd826ffe7eb93ff7e9423f00000000000000000000000c0ffffffff030303a8282001bb85804ef9b0a561ff615525b40000004d0000004d0001004e6d6725bbd1cc74ffb0b457ff323b02d30000000000000000000000e07f7f7fff030303d61e1c0c89797246edd5cca9ffb2a165f5675b2db624200e7365622abaafaf56f6dedaacffa2a25cff151d01a90000004b00000080000000c07f7f7fff0e0e0eb00e110eb134340dc7b2a574f6d7cea9ffc8bb87ffc6bc87ffc6c58effe3dfc2ffaeb167f6a7b07dff0001008000000080ffffffffffffffffffffffffffffffffffffffff161813b8574418b2a89158f0d8ccaefce3ddc5feccca9dfbb2ac71f3434607aef3f6eeff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e78504931996c5720c6795714d96a531dc54e4d2f9b3e403e79ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0010000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133707458374522000"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698140034162000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000903459d1c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000d07692cac2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	dwme.exe
1808	dwme.exe
1808	dwme.exe
1808	dwme.exe
1808	dwme.exe
1808	dwme.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeSecurityPrivilege	2736	msiexec.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
2164	AV Security 2012v121.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
2164	AV Security 2012v121.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
2860	AV Security 2012v121.exe
2860	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe
2164	AV Security 2012v121.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1808	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	30
PID 1292 wrote to memory of 1808	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	30
PID 1292 wrote to memory of 1808	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	30
PID 1292 wrote to memory of 1808	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2852	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	32
PID 1292 wrote to memory of 2852	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	32
PID 1292 wrote to memory of 2852	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	32
PID 1292 wrote to memory of 2852	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	32
PID 1292 wrote to memory of 2860	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2860	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2860	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2860	1292	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	33
PID 1808 wrote to memory of 1532	1808	dwme.exe	34
PID 1808 wrote to memory of 1532	1808	dwme.exe	34
PID 1808 wrote to memory of 1532	1808	dwme.exe	34
PID 1808 wrote to memory of 1532	1808	dwme.exe	34
PID 2860 wrote to memory of 2360	2860	AV Security 2012v121.exe	36
PID 2860 wrote to memory of 2360	2860	AV Security 2012v121.exe	36
PID 2860 wrote to memory of 2360	2860	AV Security 2012v121.exe	36
PID 2860 wrote to memory of 2360	2860	AV Security 2012v121.exe	36
PID 2860 wrote to memory of 2164	2860	AV Security 2012v121.exe	37
PID 2860 wrote to memory of 2164	2860	AV Security 2012v121.exe	37
PID 2860 wrote to memory of 2164	2860	AV Security 2012v121.exe	37
PID 2860 wrote to memory of 2164	2860	AV Security 2012v121.exe	37
PID 1808 wrote to memory of 2240	1808	dwme.exe	39
PID 1808 wrote to memory of 2240	1808	dwme.exe	39
PID 1808 wrote to memory of 2240	1808	dwme.exe	39
PID 1808 wrote to memory of 2240	1808	dwme.exe	39
PID 1808 wrote to memory of 1940	1808	dwme.exe	41
PID 1808 wrote to memory of 1940	1808	dwme.exe	41
PID 1808 wrote to memory of 1940	1808	dwme.exe	41
PID 1808 wrote to memory of 1940	1808	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\49E3F\4FA46.exe%C:\Users\Admin\AppData\Roaming\49E3F
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\3FDFF\lvvm.exe%C:\Program Files (x86)\3FDFF
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Program Files (x86)\LP\4674\312E.tmp
    "C:\Program Files (x86)\LP\4674\312E.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1940
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\SysWOW64\AV Security 2012v121.exe
  C:\Windows\system32\AV Security 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Roaming\dwme.exe
    C:\Users\Admin\AppData\Roaming\dwme.exe auto
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Users\Admin\AppData\Roaming\YJ6dEK8fR9TwUeI\AV Security 2012v121.exe
    C:\Users\Admin\AppData\Roaming\YJ6dEK8fR9TwUeI\AV Security 2012v121.exe 5985C:\Windows\SysWOW64\AV Security 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mCB6A.tmp

Filesize
235B

MD5
9ecd54596b0e3e8b44cc923aa042d2c4

SHA1
87f180bcff9fcbf4abd193f1a1b5b8f0c9c945d7

SHA256
ca7f5a27c0f966bd5e0cdc85858f211202ffae7e1224f2f83135c1c6c0811114

SHA512
2b74e3ec3b301345afe53f28f626fd711c69b9230763481589b5b259d399a54a2d53ceefcdc3fd0c3fa813bacaed8707013a95c4f885f942c0692312fa5cc06a

Download Submit
C:\Users\Admin\AppData\Roaming\49E3F\FDFF.9E3

Filesize
300B

MD5
dd467fbac6d90fdcc214488b9bafc95b

SHA1
92468d6679d677fcafdc58df67cc84cab34ca97b

SHA256
1694abb34eb77549665a170ada2b46688f177658cee7ce22ad44c568d4c82774

SHA512
b2369106b49ed6d47ecc3835ec0ed889d0a74fbb6d6a31df67a75cf3fcd4f3c668812694265435658e68a4432c0890ca918a43895adc592c2b24cfb36db6710b

Download Submit
C:\Users\Admin\AppData\Roaming\49E3F\FDFF.9E3

Filesize
696B

MD5
b7dd7d4bf91968decdc25ae8e1a38d8b

SHA1
4cd13717c233c8e2c908d84460707b86f386b951

SHA256
5c94b3dcabbb33577a653e4c1a8d3fb78b83d3d33055411a3cf3b1e9d5e365fd

SHA512
96057300646a766cd8ffdbaf67da9e56259761ef6a112237e038abbf043e3893d1bd78198e9143f83caaddafc28624e284ef5c8091f9891ba249549ba2077632

Download Submit
C:\Users\Admin\AppData\Roaming\49E3F\FDFF.9E3

Filesize
1KB

MD5
726133f0064a56894d5fbdd705299944

SHA1
958cb889b572990028d975a069e554f6ab240f06

SHA256
dffc72e68f53e442400155c6cb4c45af0f2b6aefddba45ed2c5db66d4fc002bf

SHA512
fd6225d623ad5dbcb790b489959e5c62ba6d1a8b9c7c7cf030417cd93f18b88d74414acbaa7308cc3d4a5850bb2575a424be27bb9c58b6490e11aa147a78d361

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk

Filesize
1KB

MD5
afd2fef4b2a36e0f209d696812f6ef2d

SHA1
71ac48dfc4ec30b59e9e60823d7af41075f9f03c

SHA256
580d27833895d101b8b128ae8981be891ce39e85ac724e4ccefdae0d8a0ea435

SHA512
e7142527419091916ff581e183d8233fc89336a6343ee0486182b4f62284b6d7f883c3ac485cee0004ada2300caac17fa3d7ee7c5774fef8b8bf17ab98559918

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
3f4cffb6a9ef7de6ef36780912f74163

SHA1
25dbe751defb7cfea499ad339882c3b57c2946f3

SHA256
b2f0bb11a81b8560d4a70bfcb945b4d0e0b3925c31da4ae8c9e7b96c86b6fffd

SHA512
13b4c8016ac5e55d88ab77c7fcc45f2ec955d60803a7a7682f5e3887e4d4dbf79c5c0aa03c59648db7fc6f0483f61ba34705da973d46d3d3061555ad48de30ce

Download Submit
C:\Users\Admin\AppData\Roaming\lqhYXwkUVlBz0c1\AV Security 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\Desktop\AV Security 2012.lnk

Filesize
1KB

MD5
b0ebcb7dae0eb5380a25222c33f8798e

SHA1
2ed784b58739fe11e380dc29c5d190ddcd683b72

SHA256
82046c71fe4fb4636f11bf2af93ac435b7bfd88a3e49ed28df9c9cecdfe44002

SHA512
d523b53502b4140cf9542e2691a5951490365f335152493886520f721be7a4027969cf058b93a709e5c4e1c396ab5ea08c56e1eb9f005ce23d56fc634eaba1f9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0c7507b36c53bb50ab29842ceda6bf5e

SHA1
a772f99514dd18a29b1233d16392bdedd384b7de

SHA256
7a270ccdfd864348c0f4eb9f35caf0e57bda75f2aa7d525a72c18fe82b313f97

SHA512
f937ebda34dcff296fbb1dff04428f7b0f308e8927f6d5fc9f715687abea342b7eacf372fb0c1e6e99ef3df04f120ee581f6fcf14a519347ba3ae3a9cdeb46aa

Download Submit
\Program Files (x86)\LP\4674\312E.tmp

Filesize
100KB

MD5
a8ac6f40514636d32248ca72f6e9759d

SHA1
0ab176e9f97677bb8a1cf11670b4a71f01153d23

SHA256
8e82206a435ba38cb94e659b4fb8a178431e429594c6b0774f148ef0581840b4

SHA512
0784399be810d181d35c4063b0d533f1390351a4c759f58b2c86d4bfdc7cca62b1d8ad17f90edf1b89cb4a77f70d235bb25144aa325afbc8c789a9f34c1dc685

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
284KB

MD5
0e01fafd9de1d319306763f794bea644

SHA1
51aa1327daaf4e7150e3494626e565bd2ee67789

SHA256
cf348dba3d725d701556ed073ff7deae7a6216443602d2c6bb85f5906eda7d75

SHA512
7a7ccc7980321be0142e2f3a4a2c9450eec7181f1c7d4273ae8ea4c40d8eeaea13f70c2fca4bce46b662bdb236c02a89f2450ba3ac1bd442bbc55b114a0136a3

Download Submit
\Windows\SysWOW64\AV Security 2012v121.exe

Filesize
2.8MB

MD5
df18a0564994b769d501cd7bf5911291

SHA1
c26015ba47f54524aca183b500ffafdb4773e709

SHA256
504283d6b0d927c895624c91355166b675f685487f6d90985364c49d79d7af24

SHA512
705b77279ff8c29430de1b3e174496ca9019e53f57b3afda1439cc2c930af8894d71a1b3ac6179bb708365a6e869c89d13b7581b583b8cb61bb5179453e28721

Download Submit
memory/1292-39-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1292-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1292-7-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/1292-4-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1292-34-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/1292-5-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/1292-6-0x0000000002F00000-0x00000000032E7000-memory.dmp

Filesize
3.9MB

Download
memory/1532-56-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1808-276-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1808-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1808-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1808-182-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1808-354-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1940-285-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2164-282-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/2164-252-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/2164-175-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/2164-78-0x0000000002F20000-0x0000000003307000-memory.dmp

Filesize
3.9MB

Download
memory/2164-296-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/2164-308-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/2240-174-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2360-76-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2852-41-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2860-43-0x0000000002EB0000-0x0000000003297000-memory.dmp

Filesize
3.9MB

Download
memory/2860-71-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download