pony | ccd9dd1098157c884c04bc46825b296607774534e5c4200b856b28a13e03f365

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
Size

1.9MB
MD5

fc7f63ccd826f0bed675aac69a0969d3
SHA1

8bb1e89f1080e272cd77e2a08933a9daf3d9db85
SHA256

ccd9dd1098157c884c04bc46825b296607774534e5c4200b856b28a13e03f365
SHA512

1f661e13ccf40e8321abdf9344a8dc3600c2ec41fbac7be301eaeb381e8d8302565570383c226b34b71a3e020ed5a13a93018a8729db7e8f3e67e52d1019b192
SSDEEP

49152:6/H9zPqoEUP/QsGDFxUGXET3pb2uQUr3ZAK6SQKS:gHZhgFxUfT3gu3r3ZAn

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 7 IoCs

pid	Process
2228	dwme.exe
844	dwme.exe
2740	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
544	dwme.exe
2868	dwme.exe
3048	2452.tmp

Loads dropped DLL 14 IoCs

pid	Process
1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
2740	Cloud AV 2012v121.exe
2740	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2228	dwme.exe
2228	dwme.exe
2228	dwme.exe
2228	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\r0ycA1ivDoFpHsJ8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SuvD2obF4m5Q6E8 = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jmH6sWJ7fL8234A = "C:\\Users\\Admin\\AppData\\Roaming\\FjYCwkIVr\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\825.exe = "C:\\Program Files (x86)\\LP\\D5B7\\825.exe"	dwme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1676-2-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1676-29-0x0000000000400000-0x0000000000914000-memory.dmp	upx
behavioral1/memory/1676-28-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2740-39-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/844-43-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2228-108-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2352-113-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2228-127-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/544-139-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2352-140-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2352-231-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2868-233-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2228-241-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2352-305-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2228-385-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\D5B7\825.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\D5B7\825.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\D5B7\2452.tmp	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2452.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\Registry\User\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133720093613142000"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133649174577386000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000035696969690000007000000080000000800000008000000080000000800000008000000080000000800000004b0000000000000000000000000000000000000058b0b0b0b0000000adffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000000000000000000000000000000000000a5ffffffff000000c0000000800000008000000080ffffffffffffffff00000080000000800000008000000080000000800000004b0000000000000000000000c0ffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000800000000000000000000000c0ffffffff000000a60000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000c0ffffffff000000a60000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000c0ffffffff030303a80303034f0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000e07f7f7fff030303d6101010580f0f0f580a0a0a54030303500000004d0000004d0000004d0000004d0000004dffffffff000000800000004b00000080000000c07f7f7fff0e0e0eb00e0e0eb0141414901c1c1c611c1c1c611717175d0c0c0c550202024e0000004d0000004dffffffff0000008000000080ffffffffffffffffffffffffffffffffffffffff141414b428282869282828692828286928282869262626681818185e08080853ffffffff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e783e3e3e783e3e3e783e3e3e783e3e3e783e3e3e783e3e3e78ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0030000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000330020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000005039f449b311db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000d0666549b311db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	Cloud AV 2012v121.exe
2740	Cloud AV 2012v121.exe
2740	Cloud AV 2012v121.exe
2228	dwme.exe
2228	dwme.exe
2228	dwme.exe
2228	dwme.exe
2228	dwme.exe
2228	dwme.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2352	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2732	msiexec.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe
Token: SeShutdownPrivilege	2712	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2352	Cloud AV 2012v121.exe
2712	explorer.exe
2712	explorer.exe
2352	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
2740	Cloud AV 2012v121.exe
2740	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe
2352	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2228	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	28
PID 1676 wrote to memory of 2228	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	28
PID 1676 wrote to memory of 2228	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	28
PID 1676 wrote to memory of 2228	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	28
PID 1676 wrote to memory of 844	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	29
PID 1676 wrote to memory of 844	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	29
PID 1676 wrote to memory of 844	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	29
PID 1676 wrote to memory of 844	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	29
PID 1676 wrote to memory of 2740	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	30
PID 1676 wrote to memory of 2740	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	30
PID 1676 wrote to memory of 2740	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	30
PID 1676 wrote to memory of 2740	1676	fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe	30
PID 2740 wrote to memory of 2352	2740	Cloud AV 2012v121.exe	31
PID 2740 wrote to memory of 2352	2740	Cloud AV 2012v121.exe	31
PID 2740 wrote to memory of 2352	2740	Cloud AV 2012v121.exe	31
PID 2740 wrote to memory of 2352	2740	Cloud AV 2012v121.exe	31
PID 2228 wrote to memory of 544	2228	dwme.exe	36
PID 2228 wrote to memory of 544	2228	dwme.exe	36
PID 2228 wrote to memory of 544	2228	dwme.exe	36
PID 2228 wrote to memory of 544	2228	dwme.exe	36
PID 2228 wrote to memory of 2868	2228	dwme.exe	39
PID 2228 wrote to memory of 2868	2228	dwme.exe	39
PID 2228 wrote to memory of 2868	2228	dwme.exe	39
PID 2228 wrote to memory of 2868	2228	dwme.exe	39
PID 2228 wrote to memory of 3048	2228	dwme.exe	40
PID 2228 wrote to memory of 3048	2228	dwme.exe	40
PID 2228 wrote to memory of 3048	2228	dwme.exe	40
PID 2228 wrote to memory of 3048	2228	dwme.exe	40

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\7C52B\B5BD5.exe%C:\Users\Admin\AppData\Roaming\7C52B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\2B557\lvvm.exe%C:\Program Files (x86)\2B557
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Program Files (x86)\LP\D5B7\2452.tmp
    "C:\Program Files (x86)\LP\D5B7\2452.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3048
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:844
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\fc7f63ccd826f0bed675aac69a0969d3_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Roaming\FjYCwkIVr\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\FjYCwkIVr\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7C52B\B557.C52

Filesize
300B

MD5
573fda89194050ea69a3353771bfadc7

SHA1
5d433b8e01a5c1683d7ecee20ba474e1a0b2f19d

SHA256
4de03737260c0672e35d2b7fe734d5653a4c2693353b0b33ae9afd66153c51f5

SHA512
8b0819698790321b4c7d460e25b6a258fccb975811e00c947906e08d03e5408e200e89adf097f9e9b08f1a8969af8421be25a631984c3d80973a2a4d30591d2e

Download Submit
C:\Users\Admin\AppData\Roaming\7C52B\B557.C52

Filesize
696B

MD5
45b67e2da92124517cc653632a91457c

SHA1
0d3ccc3407997a80323d621dbcece45dee9d04ee

SHA256
c9e9661e5c0c8cc2a3d549ceb674eabe75540c54be4e2367843bbd341e0ba676

SHA512
6981ea1c93651bea769ea578ed7b0866737beb3131e80a9bd2ab031cdff6b6bbd4118140d053eaa55a5f75bba0f7859b40a99f3fdc6a1fd32d166a95a34dddd7

Download Submit
C:\Users\Admin\AppData\Roaming\7C52B\B557.C52

Filesize
993B

MD5
af57a72f03e7150c318724e138588a16

SHA1
85df9d1541074ceffdb1810853125efe7d04f133

SHA256
57bee99c908d73c0622c1fb63bf0ddafb2f44c8bd0e9e92f016f622e56b56f19

SHA512
5395fc54b0d66c3f675989088270d6a0a6fc968249c9aa051d4fd8a7973b95f81c67a5547ccb2b6bad72256a8a17654b161da0ae3769efb334f7d9fff10ed7a0

Download Submit
C:\Users\Admin\AppData\Roaming\7C52B\B557.C52

Filesize
1KB

MD5
40520f1c98af8639dbf27a5f6602ec62

SHA1
52ed07c24b1177f695b5f927ee0c462fbe8a0f2f

SHA256
154728eb8075586c267f11668fb6b46a8776fff187276e5e1b05054199e3ce5e

SHA512
e0bd0e2754a5bbcb0ef4654c82a63574b27352fcc2341abb6548f0281a029efb9b38d3d7e298ee3732e4585247242702dce299aa06c3a84870c80535c7c11b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Filesize
1KB

MD5
c5c0e0006d019abec4b2466169c7e07b

SHA1
732dad4fd0dccd2f5f655f7ee469a243a89078ca

SHA256
adfdd229e72880db701b88040ad4d91e7bd244cb1e93a28749e8446345727ed7

SHA512
09a073600b326521324d77756ecfaf931fa21471362c9a5112623daeff84299ef6d063a91fbf585388823833f0ee61c2e77cd826dc0673081c4066d4faad0da4

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
607B

MD5
48d76ac9228c29f7c3f0d54a9526f4c2

SHA1
ef1a5cc167381e3835d329b072ba20b0d42d4a29

SHA256
5437041f8ce5cf372802531839f0ce784a16919a25cc836441da000339e8a78a

SHA512
b5aacdbf520a71cf6a74781cb8547f7ddb01e5e8bfe1061766fe2b954115eeb3c8a41e8d5ec563b4aa57ae3b1eaed58bcac9a4ca914ab8d917316b38f35672d7

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
4903dc02b5e89e5fa9226536b776addf

SHA1
48db324a5a8ece21b53ce52c86e98a905e53ba38

SHA256
de28280abb80058953997a4ea177d637ac5e65c092ca10115d8b04f927552f79

SHA512
bae6dde1e224530c733910f17c248fb4c8adf6ad099d300188b5021abcaeda00531f5cf7eefae98b685251ce921f370f0ccc9b5b15e73309ba5c864d73ba2d8a

Download Submit
C:\Users\Admin\AppData\Roaming\x5sQJ6dEKfZhXj\Cloud AV 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk

Filesize
1KB

MD5
1700eb3f9472ff29eab4669e4488dc0f

SHA1
e6b85a46fe7041bbc0127a6e58c5d828925c9a32

SHA256
e6b6fc27b37cca3da20037e85de777af6614c51506cb51ea5314eeaf37ec0f8f

SHA512
c7c88389b5fb6c1a01383c73697d3b2592c05e72903ac92d160266ef382aeeb650c655eb72ef1662f7c3758416d548f7a6c9fec87dbbbd6de6a71cb3b29ef491

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f2ea5bc21a83316fd72208c642d1fd24

SHA1
03e86324c992adeb27cec2f787f10336b9709f1e

SHA256
23c1b9ef169be235490c763b54e52279c7d45acfe9816767dc0ff5828ef69c2c

SHA512
13a38e4d5043182941a43eb003a7ca984b6606b21dc387d13833c58c07b83f4032de0889199f6b9bcaee589fef1676c36df1c9071234137e3591928bbd185583

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f48cfb5db32cdf990f35a5ef9146dbf4

SHA1
09b4f991e17aba915160f6c153c6d78e2d4aa4d9

SHA256
72439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397

SHA512
385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301

Download Submit
\Program Files (x86)\LP\D5B7\2452.tmp

Filesize
99KB

MD5
b6c44c70136fcbed1aace964c4e98e9d

SHA1
4f7961087e09cdf03efe4fe0b7f2243499504628

SHA256
75d10ab1bea3e7cb80e3c0048b79cf0496c88b885ff853d6f430c71272030bcd

SHA512
801762bbc8ffa62fd49dadb75bfa0ff31f73ee4b712c91d23885f0d4fbc45eebbc30f2ab84e04ce375e8a269bb2a1c8514c4dd9cbd50f42e5960987c719092da

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
279KB

MD5
28f68e83db55f7bea9da2240ed0fb82e

SHA1
f921166658168cd0149fc4bf192ed37a2281ab15

SHA256
41a4cfba62cc917f591523b5adefa926afb6bfe54aba4d2b72ac6f98253d9b58

SHA512
40976449c4a135a2375ef875f0d0e7c0a3f612786ab7901a49b5def17348fdfc57ad0b6fb7e83ea01714d8c95f1154c27502572f1905bfde18d818ffe58fcbc6

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
fc7f63ccd826f0bed675aac69a0969d3

SHA1
8bb1e89f1080e272cd77e2a08933a9daf3d9db85

SHA256
ccd9dd1098157c884c04bc46825b296607774534e5c4200b856b28a13e03f365

SHA512
1f661e13ccf40e8321abdf9344a8dc3600c2ec41fbac7be301eaeb381e8d8302565570383c226b34b71a3e020ed5a13a93018a8729db7e8f3e67e52d1019b192

Download Submit
memory/544-139-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/844-42-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/844-43-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1676-28-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1676-0-0x0000000002E40000-0x0000000003255000-memory.dmp

Filesize
4.1MB

Download
memory/1676-29-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/1676-2-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1676-1-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2228-127-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2228-241-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2228-108-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2228-385-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2352-113-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2352-231-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2352-140-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2352-44-0x0000000002E50000-0x0000000003265000-memory.dmp

Filesize
4.1MB

Download
memory/2352-305-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2740-39-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2740-30-0x0000000002D10000-0x0000000003125000-memory.dmp

Filesize
4.1MB

Download
memory/2868-233-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3048-306-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download