pony | 5c6c6019283a22b8e2202d88a8d9ca6c4f87f3154945bb07a5db5b23071c9e53

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
Size

1.8MB
MD5

f7ede4315ac864a6ee98609b1d5313d2
SHA1

637b597c6e1448c97980e081994aafdc4c3159ba
SHA256

5c6c6019283a22b8e2202d88a8d9ca6c4f87f3154945bb07a5db5b23071c9e53
SHA512

2552c0d8302fae497e3903f7946996dd971ace822392df60279c23a6cc05607c2743d23b7fc3c5af68ec97b81cb043e35d06d28683ed4b4b16e432268b84ef3f
SSDEEP

24576:h5iYzJqnXGaUVsdan5OcHnOSE65Jp6EbNlHAqSakgEl7YifVbs+Ll4Se7hCm2:/ilusd+OaGALtNlgqSMI77u+B4SUYm2

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Security 2012v121.exe

Executes dropped EXE 8 IoCs

pid	Process
2088	dwme.exe
2732	dwme.exe
2852	AV Security 2012v121.exe
332	dwme.exe
2340	AV Security 2012v121.exe
2372	dwme.exe
2428	dwme.exe
792	5783.tmp

Loads dropped DLL 16 IoCs

pid	Process
2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2088	dwme.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2088	dwme.exe
2088	dwme.exe
2088	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D5E.exe = "C:\\Program Files (x86)\\LP\\327B\\D5E.exe"	dwme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NdWK7fRL9Tq8234A = "C:\\Windows\\system32\\AV Security 2012v121.exe"	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sQH6sWK7fLgZjCk = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HZ9hTXwjUeI8234A = "C:\\Users\\Admin\\AppData\\Roaming\\RYXwjUVelBzNc1v\\AV Security 2012v121.exe"	AV Security 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aQJ6dWK8fLhXjCk = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	AV Security 2012v121.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Security 2012v121.exe	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Security 2012v121.exe	AV Security 2012v121.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-2-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral1/memory/2088-13-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2088-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2356-30-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral1/memory/2356-31-0x0000000000400000-0x00000000008DD000-memory.dmp	upx
behavioral1/memory/2732-34-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2852-53-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral1/memory/332-56-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2372-109-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2088-118-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2340-126-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral1/memory/2428-185-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2088-190-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2340-195-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral1/memory/2088-283-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2340-289-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral1/memory/2340-302-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral1/memory/2088-354-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\327B\5783.tmp	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\327B\D5E.exe	dwme.exe
File created	C:\Program Files (x86)\LP\327B\D5E.exe	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Security 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5783.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Security 2012v121.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698139981962000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080000000801c26019e435d02ca597103dd455602c71c24019d0000004b0000000000000000000000000000000000000058b0b0b0b0000000adfffffffff3f7efffbac886ffa5b843ffbfce70ffc6d177ffbec969ffa6b745ff374301bd0406000e000000000000000000000000000000a5ffffffff000000c000020081263004be9aa545f6b0bf50ffa5b437ff94a313ffa6b033ffb3bf53ff919e39f6242f01bd0000004b0000000000000000000000c0ffffffff7f7f7fffc8c8b8ff708337ffa4ba5dff90a623ffc2c87fffeaecd2ffc2c77fff94a225ffb3b869ff78813fff0f1301a40000000000000000000000c0ffffffff000000a6252501bb687928f9b2b168ff414a03aa0001004e0000004d0000004d434503a8818917ff6f7633ff232302cd0000000000000000000000c0ffffffff000000a62e4502d96a851afe809806ff1818016c0000004d0000004d0000004d1716016c8b7f19ff696523ff2f2a02e10000000000000000000000c0ffffffff030303a82a3e02c4a3b44efccdd161ff766f25bf0000004d0000004d0000004d6a5e24b6baa862ff918459ff271f02cd0000000000000000000000e07f7f7fff030303d61f1c0c89889d3af3f3f0bfffdcd954fa867c2ac528230e757e6d2bbfc9b855f7d9ce9afe928159ff120d01a30000004b00000080000000c07f7f7fff0e0e0eb00e0e0eb03c4a0acddddc6bfcf9f9a8fffcfd97fffffff2fff3f397ffece8a8ffc8b56af7b5a888ff0000008000000080ffffffffffffffffffffffffffffffffffffffff1b1913b9817911c8e8ea53fdfffffdfffffefafffdfcf4ffd6d454f9705b07b9f7f5efff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc44433c7c717723b5a9b30ee7d0c309f3a5a70ee2707224b244433c7cffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f0d0b4c4c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000090a03cbec2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133718132938646000"	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	dwme.exe
2088	dwme.exe
2088	dwme.exe
2088	dwme.exe
2088	dwme.exe
2088	dwme.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe
Token: SeShutdownPrivilege	1728	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
2340	AV Security 2012v121.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
2340	AV Security 2012v121.exe
1728	explorer.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
2340	AV Security 2012v121.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
2340	AV Security 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
2852	AV Security 2012v121.exe
2852	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe
2340	AV Security 2012v121.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2088	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2088	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2088	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2088	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2732	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	33
PID 2356 wrote to memory of 2732	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	33
PID 2356 wrote to memory of 2732	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	33
PID 2356 wrote to memory of 2732	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	33
PID 2356 wrote to memory of 2852	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	34
PID 2356 wrote to memory of 2852	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	34
PID 2356 wrote to memory of 2852	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	34
PID 2356 wrote to memory of 2852	2356	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	34
PID 2852 wrote to memory of 332	2852	AV Security 2012v121.exe	35
PID 2852 wrote to memory of 332	2852	AV Security 2012v121.exe	35
PID 2852 wrote to memory of 332	2852	AV Security 2012v121.exe	35
PID 2852 wrote to memory of 332	2852	AV Security 2012v121.exe	35
PID 2852 wrote to memory of 2340	2852	AV Security 2012v121.exe	36
PID 2852 wrote to memory of 2340	2852	AV Security 2012v121.exe	36
PID 2852 wrote to memory of 2340	2852	AV Security 2012v121.exe	36
PID 2852 wrote to memory of 2340	2852	AV Security 2012v121.exe	36
PID 2088 wrote to memory of 2372	2088	dwme.exe	37
PID 2088 wrote to memory of 2372	2088	dwme.exe	37
PID 2088 wrote to memory of 2372	2088	dwme.exe	37
PID 2088 wrote to memory of 2372	2088	dwme.exe	37
PID 2088 wrote to memory of 2428	2088	dwme.exe	39
PID 2088 wrote to memory of 2428	2088	dwme.exe	39
PID 2088 wrote to memory of 2428	2088	dwme.exe	39
PID 2088 wrote to memory of 2428	2088	dwme.exe	39
PID 2088 wrote to memory of 792	2088	dwme.exe	41
PID 2088 wrote to memory of 792	2088	dwme.exe	41
PID 2088 wrote to memory of 792	2088	dwme.exe	41
PID 2088 wrote to memory of 792	2088	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\BAB63\49232.exe%C:\Users\Admin\AppData\Roaming\BAB63
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\63669\lvvm.exe%C:\Program Files (x86)\63669
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Program Files (x86)\LP\327B\5783.tmp
    "C:\Program Files (x86)\LP\327B\5783.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:792
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\SysWOW64\AV Security 2012v121.exe
  C:\Windows\system32\AV Security 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Roaming\dwme.exe
    C:\Users\Admin\AppData\Roaming\dwme.exe auto
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:332
- - C:\Users\Admin\AppData\Roaming\RYXwjUVelBzNc1v\AV Security 2012v121.exe
    C:\Users\Admin\AppData\Roaming\RYXwjUVelBzNc1v\AV Security 2012v121.exe 5985C:\Windows\SysWOW64\AV Security 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BAB63\3669.AB6

Filesize
696B

MD5
4a0ee29fc9bcf20a5df3f8a26486270a

SHA1
7cc86683ee08aef850422145a92f2888c76dcbab

SHA256
16a33167c289a8ce861eb90acec6bc9e15f1a700700c4bcc8ea68d35bd4574d3

SHA512
0630452189fa805e19d3e9c8e6a349c124b45c85afe2e147693c377f6238e83421dd063f789277a1722ed3cc428f73459fa0a458752a98d88cb8a043ec9282de

Download Submit
C:\Users\Admin\AppData\Roaming\BAB63\3669.AB6

Filesize
1KB

MD5
a0ea4fe05de6936ac909efb0f2ac7460

SHA1
e59e1b776c087714a0439ee4b896abb86cab0f57

SHA256
e12ceab0bc354000114b5b307891a27db19498ef6f62d47bc80425de69a8b4c9

SHA512
1ba82cf06bf26950bedd1a5cf5929816198a8559537023bc1ed3393a83f2b1c02f571a28a7450226b41dd73ad164672151b91a796ab552176c63df07a6408f6c

Download Submit
C:\Users\Admin\AppData\Roaming\BAB63\3669.AB6

Filesize
1KB

MD5
cb6a0badd50bf4ba5458869694b06887

SHA1
1de261775ba028cfc6d581e1dacff2c3da392464

SHA256
e9f854c848b75328708d50237ac3ad012d90f0ff78880cf56d66f179bef51fa7

SHA512
5cd5812dd55114085d34cb790807ce331bdf29b11abf2004a9b6409d42066217e4c883c39e8f2f7dfa95055be92783839b64f1ff68aad76f5c323acc744e869d

Download Submit
C:\Users\Admin\AppData\Roaming\BAB63\3669.AB6

Filesize
300B

MD5
19bb18f504942bf0309a5e9c0ee9793a

SHA1
2c741846411e4c7f73ab4cec31896879342b097b

SHA256
0733616fd0e1ceb28b3a2285d7430fbe0c6049ed6932277ac396423eaf6507e1

SHA512
1a3d910357370fce13eb148bd6ffeb70d886eb8ac535d32390331af57d683f7565ef9948252f12b90e22d4c05b0b4649c8363a0ce80ea505fe5c80fbb9ff5185

Download Submit
C:\Users\Admin\AppData\Roaming\J3onG4amHsJfLgZ\AV Security 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk

Filesize
1KB

MD5
c6222aeb02fb0164a9f16ff0c05455b8

SHA1
c83bcfe80393f54838ba2d96a5da890ebfe80173

SHA256
7cd4d6880eaa49702e43715f829b7b913973417a34ca3953dde1552fa6d8fcd2

SHA512
d923aa1fc666f125d3d67dc2645705e86916c588c85b981081a2dd2ce42ad68023f1ebb45a7e3dfe6772d905eb00d7ab60461ff39ff1ae2f96fa2b9882835e97

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
4571c0fe8facadd10c7956c736546aab

SHA1
f82231d922350286a3d2df6c8b679f7c251da12f

SHA256
9638b0ce2e9e47b72d47d3fdd931a717aa1161d7fd97886d7fa0868496f65f6e

SHA512
37768a18e0948a0e11a9d5dd88926eb0bce8bb9e4c6c2c0fab878bd250a414e51d91fd1bd7bfc29136ef9388f91aed47ffd7868de585ce5b662dcf5f43e60596

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
609B

MD5
ccbb5353fbb535de7d59f12abc4ec5ab

SHA1
dcdf6411e32148e7251a119b845971be3cd7e813

SHA256
a0bb0933603cd4d4fc1273be3591f48b43bfef2daec34a32c7cb1574eaa81294

SHA512
98a2a5d2f88b953a76e252b45ba4e791697cc99d7463996f656f6215556ddde006255e69e0b8a49fa7e0d8c29628b5365aa84f686bcbad022f1b7cd06b71e833

Download Submit
C:\Users\Admin\Desktop\AV Security 2012.lnk

Filesize
1KB

MD5
11817a27c4c193ceef25e8d0dc618965

SHA1
1cc608cc820672cffca7344e4f59f9c309135587

SHA256
ada45dcd49247c9adbef0debaf04efd15e13f61f20a5a47177048e91f2245e79

SHA512
1cc19f783d0ebc0737bdc46941f50f7c6cb57a46a4bd9bad05eb1ac1d3e517a09fc7327b155237f4c4c6b89da584759caaa55125fed49a82b78811d841a085e1

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0c7507b36c53bb50ab29842ceda6bf5e

SHA1
a772f99514dd18a29b1233d16392bdedd384b7de

SHA256
7a270ccdfd864348c0f4eb9f35caf0e57bda75f2aa7d525a72c18fe82b313f97

SHA512
f937ebda34dcff296fbb1dff04428f7b0f308e8927f6d5fc9f715687abea342b7eacf372fb0c1e6e99ef3df04f120ee581f6fcf14a519347ba3ae3a9cdeb46aa

Download Submit
\Program Files (x86)\LP\327B\5783.tmp

Filesize
96KB

MD5
2392c2d68d99447290bd40e5a8a7b418

SHA1
3b1452cb997fa8c6d15c85788170c5c37da1b08b

SHA256
1dd6ea218dbd4111169fa089fead8aa31e9912f2dda5cd8c5385a0c6ef0e3226

SHA512
42c2cdb8a9f2e09f00930efac68f9cb789511ebff72b1a0c0044cd6415667a9550d0ac1d38ea9cf9de47d4be1d5cba60900b10a4716ab59c41c3403331ee7902

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
267KB

MD5
a4dc0cccc0561acaa30c9a1d8db14a94

SHA1
1521543ff04d17895923161bcd87476d8468fe6f

SHA256
5a8c33eabda57c3aaf386847e351e84ea22fb659f74ddf17dcc645de92675b66

SHA512
f74ef04874d4ef55db52dd54cb94b9f09d9230cd9795438f6e2ed2598bb0fac5242c8d0125ace19879045898e5becbc3c2c567f21d674ed280bed1ecf4bebfa5

Download Submit
\Windows\SysWOW64\AV Security 2012v121.exe

Filesize
1.8MB

MD5
f7ede4315ac864a6ee98609b1d5313d2

SHA1
637b597c6e1448c97980e081994aafdc4c3159ba

SHA256
5c6c6019283a22b8e2202d88a8d9ca6c4f87f3154945bb07a5db5b23071c9e53

SHA512
2552c0d8302fae497e3903f7946996dd971ace822392df60279c23a6cc05607c2743d23b7fc3c5af68ec97b81cb043e35d06d28683ed4b4b16e432268b84ef3f

Download Submit
memory/332-56-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/332-55-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/792-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2088-354-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-190-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-283-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-118-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2340-289-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2340-126-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2340-302-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2340-57-0x0000000002BF0000-0x0000000002FD0000-memory.dmp

Filesize
3.9MB

Download
memory/2340-195-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2356-31-0x0000000000400000-0x00000000008DD000-memory.dmp

Filesize
4.9MB

Download
memory/2356-30-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2356-2-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2356-0-0x0000000002C30000-0x0000000003010000-memory.dmp

Filesize
3.9MB

Download
memory/2356-1-0x0000000000400000-0x00000000008DD000-memory.dmp

Filesize
4.9MB

Download
memory/2372-109-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2372-108-0x0000000002180000-0x0000000002280000-memory.dmp

Filesize
1024KB

Download
memory/2428-185-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2732-34-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2732-33-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2852-53-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2852-35-0x0000000002B70000-0x0000000002F50000-memory.dmp

Filesize
3.9MB

Download