pony | 6de7d2edb45ff27fc0b4d29f2ffcf51cefe80da984149344657a9a5f915e1fb3

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
Size

1.9MB
MD5

5880af5d370da44861e175862f03d21a
SHA1

f1c928bf9adda4e82c8f19b8ed6d64fa7dfdec13
SHA256

6de7d2edb45ff27fc0b4d29f2ffcf51cefe80da984149344657a9a5f915e1fb3
SHA512

d0694f72f1552edf3a416e8602f38f76f2a710d70771447d6f93cdd8dd0d41da45d81eb7eae82e1bf377b8a73a12841ba345c8ad8c337dd6cd5ead47007bdb5b
SSDEEP

49152:o/DsUN6okJ1FhHUmbA2PSrJpyRLlim3UoiMQ:AkLFuIA2x/T3UoDQ

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 7 IoCs

pid	Process
1868	dwme.exe
1000	dwme.exe
2476	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
1752	dwme.exe
2500	dwme.exe
2308	3BE8.tmp

Loads dropped DLL 14 IoCs

pid	Process
2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
2476	Cloud AV 2012v121.exe
2476	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XdEL8gRZqYwUe8234A = "C:\\Users\\Admin\\AppData\\Roaming\\rEL8gTZqhCkVlBx\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\619.exe = "C:\\Program Files (x86)\\LP\\2C0D\\619.exe"	dwme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mvS2obF3pGaJdKf8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pF3pnG5aQ6W7R9T = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2600-2-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/2600-27-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/2600-28-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2476-38-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/1000-92-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1868-112-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1752-114-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2712-117-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/1868-181-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2500-185-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2712-188-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/2712-264-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/1868-287-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2712-292-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/2712-306-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral1/memory/1868-352-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\2C0D\3BE8.tmp	dwme.exe
File created	C:\Program Files (x86)\LP\2C0D\619.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\2C0D\619.exe	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3BE8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000204e29e9c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000040b9ece0c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133737455041690000"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698140135220000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080151b008e404a01b06b8003d66a8c04e4456d02cf1e3c01a80000004b0000000000000000000000000000000000000058b0b0b0b0000000adffffffffe8f6beffcce153ffe1ed2dffe7ef5effd9e67bffd4e284ffb1cc52ff374f02c10405000d000000000000000000000000000000a5ffffffff000000c0000000809fac01e7f3f5b6fefafc85ffe3ea2dffb3c812ffbccf45ffb6d055ff8fa531f7232c01bc0000004b0000000000000000000000c0ffffffff7f7f7fffd4d57affe3e967fffffff2fff6f8b1ffcdd361ffeaecc8ffbcce6effa4b940ffb1bf6bff6d8737ff101901a60000000000000000000000c0ffffffff000000a6839201def0f2cafefefeedff98a072d2050700520000004d0102004e444c07ab7e971fff989b6dff213302d00000000000000000000000c0ffffffff000000a68b9614eae0e37afed3d93dff242201730000004d0000004d0000004d1617016c778006ff5e6b1cff2c3102e20000000000000000000000c0ffffffff030303a8433902c3a59c50fbc5b661ff6a5d24b60000004d0000004d0000004d605424b2a9ac62ffb7af94ff233201d10000000000000000000000e07f7f7fff030303d6211c0c8877693aecd4c69cffac9856f365592ab5251e0e7265582ab4a99855f3cec69cff898c56ff121801a70000004b00000080000000c07f7f7fff0e0e0eb00e0e0eb035270dc3b39c6bf5d9cca8ffd5c19bffbdad6fffc6ba86ffe0d3b8ffae9f6af5b3a68bff0000008000000080ffffffffffffffffffffffffffffffffffffffff161613b8584117b0aa8e58f0d2c49ffcece2d2fed0c79ffca78e54ef463507a6f7f6f3ff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e78524531976d4e1ec3715e14db6a531dc5524531973e3e3e78ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2476	Cloud AV 2012v121.exe
2476	Cloud AV 2012v121.exe
2476	Cloud AV 2012v121.exe
2476	Cloud AV 2012v121.exe
2476	Cloud AV 2012v121.exe
2476	Cloud AV 2012v121.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
1868	dwme.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeSecurityPrivilege	2936	msiexec.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
2712	Cloud AV 2012v121.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
2712	Cloud AV 2012v121.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
2476	Cloud AV 2012v121.exe
2476	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe
2712	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1868	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	30
PID 2600 wrote to memory of 1868	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	30
PID 2600 wrote to memory of 1868	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	30
PID 2600 wrote to memory of 1868	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	30
PID 2600 wrote to memory of 1000	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	31
PID 2600 wrote to memory of 1000	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	31
PID 2600 wrote to memory of 1000	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	31
PID 2600 wrote to memory of 1000	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	31
PID 2600 wrote to memory of 2476	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	32
PID 2600 wrote to memory of 2476	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	32
PID 2600 wrote to memory of 2476	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	32
PID 2600 wrote to memory of 2476	2600	5880af5d370da44861e175862f03d21a_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2712	2476	Cloud AV 2012v121.exe	33
PID 2476 wrote to memory of 2712	2476	Cloud AV 2012v121.exe	33
PID 2476 wrote to memory of 2712	2476	Cloud AV 2012v121.exe	33
PID 2476 wrote to memory of 2712	2476	Cloud AV 2012v121.exe	33
PID 1868 wrote to memory of 1752	1868	dwme.exe	37
PID 1868 wrote to memory of 1752	1868	dwme.exe	37
PID 1868 wrote to memory of 1752	1868	dwme.exe	37
PID 1868 wrote to memory of 1752	1868	dwme.exe	37
PID 1868 wrote to memory of 2500	1868	dwme.exe	38
PID 1868 wrote to memory of 2500	1868	dwme.exe	38
PID 1868 wrote to memory of 2500	1868	dwme.exe	38
PID 1868 wrote to memory of 2500	1868	dwme.exe	38
PID 1868 wrote to memory of 2308	1868	dwme.exe	40
PID 1868 wrote to memory of 2308	1868	dwme.exe	40
PID 1868 wrote to memory of 2308	1868	dwme.exe	40
PID 1868 wrote to memory of 2308	1868	dwme.exe	40

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5880af5d370da44861e175862f03d21a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\D25E0\6AC2C.exe%C:\Users\Admin\AppData\Roaming\D25E0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\E0772\lvvm.exe%C:\Program Files (x86)\E0772
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Program Files (x86)\LP\2C0D\3BE8.tmp
    "C:\Program Files (x86)\LP\2C0D\3BE8.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2308
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1000
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\5880af5d370da44861e175862f03d21a_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Roaming\rEL8gTZqhCkVlBx\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\rEL8gTZqhCkVlBx\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D25E0\0772.25E

Filesize
300B

MD5
20e8b0b728c8e0484b6c50146cda2f57

SHA1
c14b49d9af9fd297e75b67c61d4f212c4b315a35

SHA256
426a9270099a99768ef23510a982d2ad54f4ab32769e416457a55c28ed0f0407

SHA512
a31e62f6ee663359504622e0596c1f95e86ac6c55bb0c2ca273300afbb82fff43d9c6e38c37342ab302d340167b36c06e321abbbd452932d6d2f36429dafb624

Download Submit
C:\Users\Admin\AppData\Roaming\D25E0\0772.25E

Filesize
696B

MD5
6d89354a0900dd675eea57a343af7b07

SHA1
c6377fd041c40a7dfc067cf2e114ef354e0975f6

SHA256
b91c2e5aab7ac073e107747c5f065cbb5f79bdb1b43ecffb637d78150014a300

SHA512
654ef3b4e487815bff3d8acb9ce268d42042817843e9b70e46b93fec52968f43d63da719117ce46287d2b166024af01b6ebac139d0f99cafa52cbbbe14b009b0

Download Submit
C:\Users\Admin\AppData\Roaming\D25E0\0772.25E

Filesize
1KB

MD5
59b0c6a0c1ff470aa54cb8e679d167f1

SHA1
fb4a75342284e76f7c81985d0f1293472d074d23

SHA256
a851b2f41e1e1f7c3b500a9c020da5b4a035efa4bb8c46b16ef29f40421185b5

SHA512
1e986156e28347c3f7ec91ebccaebd4a074e8a4e77ff5e8679d47c9a75722f30fe9a1b1199e521b1ca90fdec428af08d82262442fe2056df8a772281cc533d10

Download Submit
C:\Users\Admin\AppData\Roaming\D25E0\0772.25E

Filesize
1KB

MD5
024e532957d57243c6587d78c1f8fa31

SHA1
9a19ea6799ad5140be2975b70d1dcac22763bb03

SHA256
04f2fcf2aff63ea21c66d01fdbd39d7c365a1944e81c5192a1d2324e86c382f0

SHA512
6757e1af0db90a08db7f02081d5f8d4ae5edd4d2de4cfea191269c98c9af3f417285d101aeecc5027b31c67276791106e522e75011b700c3d46defd32a318161

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Filesize
1KB

MD5
813199f393c61a10485b04f71a03d6c9

SHA1
d33fc0104d14910b10f81cc8607f6ef206c71669

SHA256
8e41625814033c108adc60204c3b4dd0ba0f532d83df7a52665e764a518d4ca1

SHA512
16e332b4b435f994809969f03034f4dd7252b2b1ba2327f5c82429dc750a1558b405d1951b81b3d5c9c130d4aa0af6a8cfc8fb0b3ad35bf3d70616685bbf0891

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
4246e911126806686a8592a324fd2ad5

SHA1
44c016180453aabb441bf6a9be0facb94b32eb7b

SHA256
718f7da26353a6a09d1488b5b9674e33978ca9d9f6c3adc1622992e6161efd8b

SHA512
e3b0b4da950da4427111bcb67975d9eec9375c5830e265e24a3593cb4ed42e29e5015819be55e8c095e4bae60035b803a4bd7a1cdd8b823ad4294b37c0c775f3

Download Submit
C:\Users\Admin\AppData\Roaming\tmG5sQJ6dKfZhXj\Cloud AV 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk

Filesize
1KB

MD5
19d24d084ead959c283b8a6eebb5d96b

SHA1
19384087742295e8b47e978207bd9fdadab76858

SHA256
a9ec969c20e84e9be61e885b995524e17f3698401ea4c3a67c11137a642d1429

SHA512
6ac594e3e87021dcb5b798f39489827e531058a2dad99d30ac9ce31e5a6ba136c072c825102f7d25829601c0b221982a0a5bd885226c276943a4ea6e33f8dcef

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f3c20196135184f686de8b82ac9142db

SHA1
f66e7221a7a5a4417b760aef98ed94a22e696528

SHA256
882d25907bacbab4c54664ec3671643d573dc1687e7ab4d6c29c14fb260c8f5f

SHA512
0f09f0464f530473bfd4ae101312e4f0cfed0b0830938f36df1a58425c1d4ddb774a0238d8f092a24ac67f5f3bb195aad1ff899997c9a0cd5ac2d2d654d284cd

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
0b627141cb94287889a788d7fa25a116

SHA1
fd023861682bd3f4ff1b017fd9293835fe437217

SHA256
276c2a31ecf1599c41e7224f1b0170ad319edbf4a5aaed84407733f6b4d1eb73

SHA512
867f2ae0045ddb8e9d1880158ac3ab34f7f8046d8fc7168b8adf587e5192ec6b25e75f65e0d9144b05359fa84fcf832a3a1c4a7a5e43ccd4a754ecaca7b9a1b8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
9eb2bf2f47590fc2a76bdda7d4806566

SHA1
ea51e6231efb74ef10c8cb5caac2189baa901d33

SHA256
2248e76f96b36df278d3622807010b7b3bdd6a194a3b9537b7f88c55a9d04452

SHA512
b5d2174691b1d92adb9ac90a783edcd10a4425bf6310eb096b862131e84b3c30a30ad233f5fd3332526c087a2cdb9d38e497537e5f0c2cc75079150211cfac70

Download Submit
\Program Files (x86)\LP\2C0D\3BE8.tmp

Filesize
100KB

MD5
712b790234a6b80a3dc179d07b4c631d

SHA1
a64060d004591899343721e4e10a62805b848954

SHA256
344dd99a3ae192c9f7d5fbaa1774ea1346aa1f7a71b86e06362cb7cc75184d81

SHA512
847c3a679622bad14e57e3c093f3396282fb68883caaadc51f28ab54f49b0b233d5f3d2e852f87f17b8bbca8fed43378a8c03ab97f1c095defa9ade3b9b40cb8

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
280KB

MD5
d093887f230cd4ebd19f9fc4fcb4f0b6

SHA1
28777f82755c9983fc40d8c025147ae0311faa42

SHA256
0a66e12cac7b5f76253ad318e3ea3e0e9ef43d3b146ca8af57b4b4c45efeae85

SHA512
fe3380c347d3b5354e41f422ca7faf143fff6e3269d4f3634f53c9f8eb0933a7851e097f87eedffd2d7d35bc5e33531a50aadeea368996ebc759145fe4795538

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
5880af5d370da44861e175862f03d21a

SHA1
f1c928bf9adda4e82c8f19b8ed6d64fa7dfdec13

SHA256
6de7d2edb45ff27fc0b4d29f2ffcf51cefe80da984149344657a9a5f915e1fb3

SHA512
d0694f72f1552edf3a416e8602f38f76f2a710d70771447d6f93cdd8dd0d41da45d81eb7eae82e1bf377b8a73a12841ba345c8ad8c337dd6cd5ead47007bdb5b

Download Submit
memory/1000-92-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1752-114-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1868-352-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1868-112-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1868-181-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1868-287-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2308-293-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2476-38-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2476-29-0x0000000002E00000-0x0000000003213000-memory.dmp

Filesize
4.1MB

Download
memory/2500-185-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2600-28-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2600-27-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2600-2-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2600-0-0x0000000002BE0000-0x0000000002FF3000-memory.dmp

Filesize
4.1MB

Download
memory/2600-1-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2712-40-0x0000000002EE0000-0x00000000032F3000-memory.dmp

Filesize
4.1MB

Download
memory/2712-264-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2712-188-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2712-292-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2712-306-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/2712-117-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download