pony | 491447129af236e0ddb718e0b40e40ef2b2904efad2895a85aed3f2ab8b0e440

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 02:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
Size

1.9MB
MD5

f119cfe2437e5e2cd663095695d445d6
SHA1

0f75d60069e5a47bca8ebfe6822bdecc79803a6e
SHA256

491447129af236e0ddb718e0b40e40ef2b2904efad2895a85aed3f2ab8b0e440
SHA512

3795822f2fe87fc483899b9c0c9ca390d09d6cbd1bfae2f07eceb8e7c1c7195e922909eebd20ea7fa08618b5f3a1f5db97b51ea8460acc87852af36c50198b89
SSDEEP

49152:w/DsUN6okJ1FhHUmbA2PSrJpyRLlim3UoiMQ:IkLFuIA2x/T3UoDQ

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 7 IoCs

pid	Process
1792	dwme.exe
2224	dwme.exe
2992	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
1304	dwme.exe
2704	6680.tmp
2888	dwme.exe

Loads dropped DLL 14 IoCs

pid	Process
1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
2992	Cloud AV 2012v121.exe
2992	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
1792	dwme.exe
1792	dwme.exe
1792	dwme.exe
1792	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1648-2-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/1648-29-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1648-28-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/2992-39-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/2224-93-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1792-98-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2736-103-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/2736-115-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/1304-134-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1792-141-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2736-146-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/1792-227-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2888-231-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2736-234-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/1792-384-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1792-408-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y1ivD2onFpHsJdK8234A = "C:\\Users\\Admin\\AppData\\Roaming\\samH5sWJ7E8\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A92.exe = "C:\\Program Files (x86)\\LP\\3CD8\\A92.exe"	dwme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\q2ibF3pnGaHdKfL8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NnG4aQH6sKfLgZj = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\3CD8\A92.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\3CD8\A92.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\3CD8\6680.tmp	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6680.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133714475211014000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080000100801d24019d455402c75b7105dd455402c71c22019d0001004c0000000000000000000000000000000000000058b0b0b0b0000000adfffffffff6f7f2ffbdc888ffa9b745ffbbc764ffc8d27affbbc764ffa9b645ff374101bc0404000c000000000000000000000000000000a5ffffffff000000c000000080232c01bc909e38f6b3c054ffa1ad2bff96a213ffa2ac2bffb7be55ff909934f5242801bb0000004b0000000000000000000000c0ffffffff7f7f7fffc8c8b8ff728038ffb1bc6cff9aaa33ffbfc77dffebecd3ffc3c67fff989f26ffaaae56ff787e3fff0f1300a40000000000000000000000c0ffffffff000000a6223001be607a2af9869c2dff494f0ead0002004e0000004d0000004d444203a68c8b1aff757537ff232302cd0000000000000000000000c0ffffffff000000a6284702d9a3a77efe728909ff1718016c0000004d0000004d0000004d201d0170958b09ff7e7a1dff312d02e10000000000000000000000c0ffffffff030303a8272701bd90955efbbdb778ff666125b80102004e0000004d040400508f8143c8e8e271ffcec955ff615702da0000000000000000000000e07f7f7fff030303d61d200b8b7e7d44efd7d3a3ffb6b455f77b7930c43e390e84a29872d2fefef0fffcfad1ffd9d161ff423b01b60000004b00000080000000c07f7f7fff0e0e0eb00e100eb137380cc8b8b669f8e5e6b6ffe3e49effe6e475fffefebefffffff8fff2eeb8fdd7ca4cff1816008c00000080ffffffffffffffffffffffffffffffffffffffff181913b9526215bed1ce93f9e2e4aafdfdfbd9fffafabbfeece781fcada704dbf8f4daff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3b493b7f4a5e2ba56f7218cfb2b422efa2a217e1837d22ba42423d7bffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698140109756000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000d0c797fbc2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000a026f8f3c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	Cloud AV 2012v121.exe
2992	Cloud AV 2012v121.exe
2992	Cloud AV 2012v121.exe
2992	Cloud AV 2012v121.exe
2992	Cloud AV 2012v121.exe
2992	Cloud AV 2012v121.exe
1792	dwme.exe
1792	dwme.exe
1792	dwme.exe
1792	dwme.exe
1792	dwme.exe
1792	dwme.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	2264	msiexec.exe
Token: SeTakeOwnershipPrivilege	2264	msiexec.exe
Token: SeSecurityPrivilege	2264	msiexec.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
2992	Cloud AV 2012v121.exe
2992	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe
2736	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1792	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1792	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1792	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	31
PID 1648 wrote to memory of 1792	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	31
PID 1648 wrote to memory of 2224	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2224	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2224	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2224	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	32
PID 1648 wrote to memory of 2992	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	33
PID 1648 wrote to memory of 2992	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	33
PID 1648 wrote to memory of 2992	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	33
PID 1648 wrote to memory of 2992	1648	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2736	2992	Cloud AV 2012v121.exe	34
PID 2992 wrote to memory of 2736	2992	Cloud AV 2012v121.exe	34
PID 2992 wrote to memory of 2736	2992	Cloud AV 2012v121.exe	34
PID 2992 wrote to memory of 2736	2992	Cloud AV 2012v121.exe	34
PID 1792 wrote to memory of 1304	1792	dwme.exe	38
PID 1792 wrote to memory of 1304	1792	dwme.exe	38
PID 1792 wrote to memory of 1304	1792	dwme.exe	38
PID 1792 wrote to memory of 1304	1792	dwme.exe	38
PID 1792 wrote to memory of 2704	1792	dwme.exe	40
PID 1792 wrote to memory of 2704	1792	dwme.exe	40
PID 1792 wrote to memory of 2704	1792	dwme.exe	40
PID 1792 wrote to memory of 2704	1792	dwme.exe	40
PID 1792 wrote to memory of 2888	1792	dwme.exe	41
PID 1792 wrote to memory of 2888	1792	dwme.exe	41
PID 1792 wrote to memory of 2888	1792	dwme.exe	41
PID 1792 wrote to memory of 2888	1792	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\8B185\8D33C.exe%C:\Users\Admin\AppData\Roaming\8B185
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1304
- - C:\Program Files (x86)\LP\3CD8\6680.tmp
    "C:\Program Files (x86)\LP\3CD8\6680.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\854FE\lvvm.exe%C:\Program Files (x86)\854FE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Roaming\samH5sWJ7E8\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\samH5sWJ7E8\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8B185\54FE.B18

Filesize
300B

MD5
4d4b5fbce473bf9c79da7db611a9b03d

SHA1
1298b10ef099f4dab5d5c7d8bfe08e7eb13092d2

SHA256
70bd9fd638a342e826c9c05b471948051000efa834a432a9e29db8e13a21b988

SHA512
91ba1494da8258804cf196c2c990676b7ec01f4f04a5e6740186e7011201092ce2c528a4ab8577fe9334dc65622cddaaecf5caca22aff047fcec754d3619b871

Download Submit
C:\Users\Admin\AppData\Roaming\8B185\54FE.B18

Filesize
597B

MD5
1e491c36e87d989fdbc5c5a70013dd98

SHA1
d64ba044bbe2959a546148fe400e5ed93a9cbc50

SHA256
729e585bac4bd61ed2a350e08fde9f2f3dd5ba7254ecb40b8c58e1a7a1fae873

SHA512
d7f105f32a49af8c4f6205ad0f9f493d366dc4bbaf7a9db5e18794ab247eda156d836c0c7fc0d1a27c322f93e36b08c574dece4a330778ccd7eef187045e5a2a

Download Submit
C:\Users\Admin\AppData\Roaming\8B185\54FE.B18

Filesize
993B

MD5
6f57286085d3b344203b1c9ea0ad78a6

SHA1
2f3aa1143d5a3c0ecf7b4377e2a80a3fdee63851

SHA256
4ea550d907de4dd28d06263f9eb937c18900a33778ad7061d564a35d55c0b2a7

SHA512
4f1678969f9f14535fc471246589ee5a26a5d9e3b95bc90325cc3406cfd670792986c73f38d1a0dd7dd8eff32e2e78be4804ca5555b45711f844aa48d2b9016d

Download Submit
C:\Users\Admin\AppData\Roaming\8B185\54FE.B18

Filesize
1KB

MD5
6fba9eee2f7d05ab704c9e217c068e16

SHA1
2a2caa8659d72a5cdbe25bb524097941e7e92df7

SHA256
218fb6a392dfb1e709debd2090def445fff99da92e6fb288a4e516352348a147

SHA512
9c17b3fa472ba9ca4f32ec3cf603fd157f63977b0b6c7097461b8c69789c16a9029f29d1576170fc30f554b951293110ed0078ff15a30037bacc7860bbde0f09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Filesize
1KB

MD5
ff686779629f62bcf6333d63ba8537bc

SHA1
25dd28a3310517183802d3b4de899d476b47285f

SHA256
32ffcce2c70ea2068e0247e29e341c315633768e12c782cf10496a5b31bd61b9

SHA512
271f3e6a55ca8c22c9798ff86ad7aebf0ce445b6721c00102c17b9ba4cd606884bd1686870feb4175c69fc028c2e26065de0d877a129bdd530279cdbf05f0683

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
086d3c0252d6b3f252e4f2bff0c61662

SHA1
4f3e7c817c576d2523f50b19057ff3f505295bb7

SHA256
ed3d8fe07b96ec1b0c7600edf37c341a2599d9ae9d7847cbb0bf85d0abca34bc

SHA512
3fbe8fdba1728d0094e32b28ce88c36602a273dc4afa36b087c50fe8a7068ef72e2704f5aab7364df7e95cb28a010c2585d0ba82c6fb5f1d50f26a9c9c66edfd

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
612B

MD5
d9cb76685e3118b941c9446389e17ec9

SHA1
43322501e7dd8e769f89028fccc4cb865d052982

SHA256
8928a7b47654b58703768daa7764e09d87ca495c2d9c87067db34f3108e24e14

SHA512
d4aef0578aeba2349a69c246988733665f300ea896f6525da07a568d05f1c8bf7284a7e0661239ec4d9dea939999ba7f6c12d8394ce91cc46dbde4f1266f20d7

Download Submit
C:\Users\Admin\AppData\Roaming\qyxA1uvS2b3m5Q6\Cloud AV 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk

Filesize
1KB

MD5
a310d745cf448bc25c0183d806dbc560

SHA1
af2fb66194b3c95c2a17d35262141b985e8f4bb4

SHA256
9bea592d1d2163e25b18ebe578f4eda57923051635084cf5289a3b9f8da5b235

SHA512
8d4fe050e3ccb77ff67a6fc143adad36b4774431f2f718685598f3a3dfe41f49dffdb4f1b7309575a6776d50d6e1f4154d726d5826f713d2ef11364f01fe361d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
178a15e28d2bafd740bf9ed302bc8b4a

SHA1
d4266a9ae2b2751e925a4e8ec0d1982ea73a3d81

SHA256
d56a11c188e6707753561a6265f2393cebb07f6d41f48b37b5a06926f8287edb

SHA512
0671c4125cd22e029c5c9def043d3901245d59b4697ad3523203850fb2bd43678843ac17d909a3a827d91295ffa56fff714f2980fc05f47180f41026eeb499e3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
a6182bd318788b9fa346a7aba797f3da

SHA1
284e208f5ef8587784290faecbe2a83b9d53789a

SHA256
0a71351b7a79f6d213b17451ef44374e9eb679492fc6904684a713a1b80cb8dd

SHA512
ca896c0a69ca2c763c348cc47cdffee14b8577b7e63e8cb02140d304a11ce9fbab35f706ca84f0f35d5ef6604d08d17867a6054463a382b325630feb071bd49d

Download Submit
\Program Files (x86)\LP\3CD8\6680.tmp

Filesize
100KB

MD5
712b790234a6b80a3dc179d07b4c631d

SHA1
a64060d004591899343721e4e10a62805b848954

SHA256
344dd99a3ae192c9f7d5fbaa1774ea1346aa1f7a71b86e06362cb7cc75184d81

SHA512
847c3a679622bad14e57e3c093f3396282fb68883caaadc51f28ab54f49b0b233d5f3d2e852f87f17b8bbca8fed43378a8c03ab97f1c095defa9ade3b9b40cb8

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
280KB

MD5
d093887f230cd4ebd19f9fc4fcb4f0b6

SHA1
28777f82755c9983fc40d8c025147ae0311faa42

SHA256
0a66e12cac7b5f76253ad318e3ea3e0e9ef43d3b146ca8af57b4b4c45efeae85

SHA512
fe3380c347d3b5354e41f422ca7faf143fff6e3269d4f3634f53c9f8eb0933a7851e097f87eedffd2d7d35bc5e33531a50aadeea368996ebc759145fe4795538

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
f119cfe2437e5e2cd663095695d445d6

SHA1
0f75d60069e5a47bca8ebfe6822bdecc79803a6e

SHA256
491447129af236e0ddb718e0b40e40ef2b2904efad2895a85aed3f2ab8b0e440

SHA512
3795822f2fe87fc483899b9c0c9ca390d09d6cbd1bfae2f07eceb8e7c1c7195e922909eebd20ea7fa08618b5f3a1f5db97b51ea8460acc87852af36c50198b89

Download Submit
memory/1304-134-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1648-28-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1648-0-0x0000000002D40000-0x0000000003153000-memory.dmp

Filesize
4.1MB

Download
memory/1648-29-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1648-2-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1648-1-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1792-98-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1792-384-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1792-408-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1792-141-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1792-227-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2224-93-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2704-237-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2736-115-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2736-234-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2736-146-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2736-103-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2736-41-0x0000000002CA0000-0x00000000030B3000-memory.dmp

Filesize
4.1MB

Download
memory/2888-231-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2992-39-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2992-30-0x0000000002B40000-0x0000000002F53000-memory.dmp

Filesize
4.1MB

Download