pony | b7f10c8e266aca99a9ceb638b223baa01b0e1f648373d72f6abd0a6b5a994fee

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
Size

1.9MB
MD5

75b22a8d8c9506770d8057d0d83f671e
SHA1

0900300539c9010d6fea83227af3011ee235d75f
SHA256

b7f10c8e266aca99a9ceb638b223baa01b0e1f648373d72f6abd0a6b5a994fee
SHA512

21cc89df746f48214eb979670222aef168c84bd2543ecde401ad4695278db07617676db4c07d6669bc8a70eb65c769777e964ab915a638cceae4bc69a4057e65
SSDEEP

49152:5dOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:3OjtMaWZUxUfT35X06si

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 7 IoCs

pid	Process
2500	dwme.exe
1708	dwme.exe
2340	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
1052	dwme.exe
2012	163F.tmp
1812	dwme.exe

Loads dropped DLL 14 IoCs

pid	Process
2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2500	dwme.exe
2500	dwme.exe
2500	dwme.exe
2500	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ChYXwjUVeItPyAu8234A = "C:\\Users\\Admin\\AppData\\Roaming\\hUVelOBtz0c1v2n\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\C98.exe = "C:\\Program Files (x86)\\LP\\26F3\\C98.exe"	dwme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xXwjUCelIrPyAuS8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zkIBrzONyAuSiFp = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-2-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2532-29-0x0000000000400000-0x0000000000914000-memory.dmp	upx
behavioral1/memory/2532-28-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2340-40-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1708-43-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2500-106-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2604-111-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1052-175-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2500-178-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2604-197-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1812-269-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2500-273-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2604-279-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2604-354-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2500-425-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\26F3\163F.tmp	dwme.exe
File created	C:\Program Files (x86)\LP\26F3\C98.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\26F3\C98.exe	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	163F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133742958034872000"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698140141790000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080030e0087223c01a8526a02ce5b8304e2466502cc1b3001a30000004b0000000000000000000000000000000000000058b0b0b0b0000000adfffffcffecf6d5ffb6dc58ffc7df50ffd0e160ffd5e185ffbdd76cffb1cc64ff344e02c00306000d000000000000000000000000000000a5ffffffff000000c01a19008d788901dbdde84efdedf487ffcbdc29ffa5bd17ffa8c23bffbdd16eff89a231f6242801bb0000004b0000000000000000000000c0ffffffff7f7f7fffccd873ffdbe244fff7fa6effdee858ffcbd75cffe9ecceffb9ca76ff8daf2affb1bd6cff708338ff101601a50000000000000000000000c0ffffffff000000a6adb80aeafafbf7fffefdb3ff808827c9090b00550000004d0001004e494e0dac8d9b33ff7b8647ff252d05cf0000000000000000000000c0ffffffff000000a6b7bb01f2fefefbfffeffe9ff27250c750101004e0000004d0000004d1618016c787e06ff6d6f2dff2f3203e20000000000000000000000c0ffffffff030303a8746b02d3d1cc59fddcd268ff7c6d25bf030400500000004d0000004d615625b3b2aa6aff9c966dff252702cf0000000000000000000000e07f7f7fff030303d6413a0a99a1983bf2ded59afebaa956f56d5f2db8241e0e7266582ab4aa9856f3ccc49bfe969063ff121501a60000004b00000080000000c07f7f7fff0e0e0eb014130db2473a0cc9baa76af6ddd0aaffcfbd8fffbeaa70ffcbba8affdccdaeffad9d69f4afa888ff0003008100000080ffffffffffffffffffffffffffffffffffffffff191613b8584217b0aa8d58f0d2c49ffce6dcc7fed3c49efbab8e58ef473208a5f7f6f3ff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e78524531976c501ec4785a15da6c511ec4514531973e3f3e79ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f0a60cf6c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000f034cceec2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2500	dwme.exe
2500	dwme.exe
2500	dwme.exe
2500	dwme.exe
2500	dwme.exe
2500	dwme.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2652	msiexec.exe
Token: SeTakeOwnershipPrivilege	2652	msiexec.exe
Token: SeSecurityPrivilege	2652	msiexec.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe
Token: SeShutdownPrivilege	2268	explorer.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2604	Cloud AV 2012v121.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2604	Cloud AV 2012v121.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe
2268	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
2340	Cloud AV 2012v121.exe
2340	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe
2604	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2500	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2500	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2500	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2500	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	30
PID 2532 wrote to memory of 1708	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	31
PID 2532 wrote to memory of 1708	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	31
PID 2532 wrote to memory of 1708	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	31
PID 2532 wrote to memory of 1708	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2340	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2340	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2340	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2340	2532	75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe	32
PID 2340 wrote to memory of 2604	2340	Cloud AV 2012v121.exe	33
PID 2340 wrote to memory of 2604	2340	Cloud AV 2012v121.exe	33
PID 2340 wrote to memory of 2604	2340	Cloud AV 2012v121.exe	33
PID 2340 wrote to memory of 2604	2340	Cloud AV 2012v121.exe	33
PID 2500 wrote to memory of 1052	2500	dwme.exe	38
PID 2500 wrote to memory of 1052	2500	dwme.exe	38
PID 2500 wrote to memory of 1052	2500	dwme.exe	38
PID 2500 wrote to memory of 1052	2500	dwme.exe	38
PID 2500 wrote to memory of 2012	2500	dwme.exe	39
PID 2500 wrote to memory of 2012	2500	dwme.exe	39
PID 2500 wrote to memory of 2012	2500	dwme.exe	39
PID 2500 wrote to memory of 2012	2500	dwme.exe	39
PID 2500 wrote to memory of 1812	2500	dwme.exe	40
PID 2500 wrote to memory of 1812	2500	dwme.exe	40
PID 2500 wrote to memory of 1812	2500	dwme.exe	40
PID 2500 wrote to memory of 1812	2500	dwme.exe	40

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\34645\DC526.exe%C:\Users\Admin\AppData\Roaming\34645
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1052
- - C:\Program Files (x86)\LP\26F3\163F.tmp
    "C:\Program Files (x86)\LP\26F3\163F.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\45114\lvvm.exe%C:\Program Files (x86)\45114
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1812
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\75b22a8d8c9506770d8057d0d83f671e_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Roaming\hUVelOBtz0c1v2n\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\hUVelOBtz0c1v2n\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\34645\5114.464

Filesize
300B

MD5
c276513fb32b58d5e5e713b19fdafc79

SHA1
7f29631077e5ee3b32b017e9a1677fdc18aaa3fd

SHA256
a15d7dc87b6a043734a83fd1c388d59400f5d3301d61785a590a456e7d444084

SHA512
86e0fa2ca07b440ebe5465987e710e6ba1621535ffea2dffb30aa343c5288d6777d13edb171bc3dcc4e6ff9f2ee6ad931791dc474e470d78ef997ef1b96092ca

Download Submit
C:\Users\Admin\AppData\Roaming\34645\5114.464

Filesize
597B

MD5
21e072bb2aef9f06ead3b44107010d8d

SHA1
ff5304d4c415fb5491f1948e78da618678418476

SHA256
b8403eed6c88ebeab0a69b83b41de0a7413e9ee952f872605725a672312e9ccf

SHA512
a88e083c2ee689b362849eeaead3c37fb8fb85d93d902645692a4532f1460405add6542a39b13fef5127517ac3c3b4372f031f923df7d1d74e3072a0a6ee4138

Download Submit
C:\Users\Admin\AppData\Roaming\34645\5114.464

Filesize
993B

MD5
21350e36b29833ae31723e650438213b

SHA1
90a681092f13288d8373db72b2c017c0e0fb40ce

SHA256
4c9be1cecceae5adf36f04315d9d2ffeeceaa76bdd5ebba986d7a680a40db310

SHA512
ef355f2ffc15198e8388347bb61bdbf7e01ab6806acace597c8a63862589675c947b2a1b48b2ddddd6bbeac30bb5e11c7136d4c86494b862ddf883c2dbaf0f35

Download Submit
C:\Users\Admin\AppData\Roaming\34645\5114.464

Filesize
1KB

MD5
2ef4451e7df17a4e9b61b8e3e48588ab

SHA1
c69a145a5cf5a46f4c0a21e727f7ecd995e375ee

SHA256
b231762bcd0bedd10b05ab063c646903496ba675d2f3418119141c761b1e87d3

SHA512
127700302c7c2102ed99351b2e23d38e66da471830a683c0a7f9536e31358fe6c6c0d4ce14434ff83f5d6fc785e8d982e370559014868804b52cf19c43724664

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Filesize
1KB

MD5
9497470327b3c2edfd1548677e81b591

SHA1
45652febe5c31e4f20e298345a8a49625f893451

SHA256
8d048a33141bbfe6ec64ed7f285437757512b35c51c1891983e8b9cd77dc6c9e

SHA512
78d18dea195913c65af4d14bf065555f91af941568f92dd3c9dda40807082fbf923ff845dfb7515a1f4e620b39d2dc51afec2ee6e30757de6f2645c8a24e9cf6

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
612B

MD5
a9d1d235bb10272e070242c12e3d26d8

SHA1
e2974199837f90f88cbbc78473f076c327f89544

SHA256
23c23f5188e904549d74dc97e10f7ad10e3b6e4a4f063d09ad782d075351de9c

SHA512
51f5b68f2632063b909291b46e9064067674c8cb00825e46fe6287531bf5e690f728f36f8cfea4984a77622b616cb8420137f3ce2cd8804e02061d225cde392b

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
427d1e819eb8a3a89310d8bd5bacb1d6

SHA1
0b51dc2ea6339d2049e4e9ad8c3bdf38fddea616

SHA256
cb6dd0eb3731c747e57d8e416ff44094e9badeecacd0e5ba0e3f8a5ddb551e6b

SHA512
9496ad8ca31b21f5fe2d5effd55d9e47087fdd2959fa78b4724f74c4f9243dbcb70f9d51aa808afae9eb7ce2212192fd98a74543f0f8696dbc899cae86972478

Download Submit
C:\Users\Admin\AppData\Roaming\e0ucS1ibDoGaHsJ\Cloud AV 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk

Filesize
1KB

MD5
82d1443a5cf43d2967d1d3000df7c65f

SHA1
66465c3bb12a36d43422e3c27c9db33300356c7f

SHA256
a10576697d83911c6c33865c5845839474fa5ed1c194eeb60ddb137422405585

SHA512
a724337ac32de532555769275326fe21a948dd22b0a18a8c1b9bd82aa8863c2e1b514b7490c7d846a646fe57eaea09534307b20b2df41e42ba6bde113b30a17b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
400ae8ef6820124f5711f92820a2bb5e

SHA1
50bd21eea6145992ce1e9d541746529e9065b10a

SHA256
9e3e13194a15f48289c6fba64bba7bc1b6b25cc127261a3304c2adb409cb9527

SHA512
108e1cc9b18c262f8bb86fdf438f3591e5d43dafb70c1547b0c57e1e4972ddbfe3b33a8e90de786d356781903453a9f240d437ac44fffe2f092811f2456dac88

Download Submit
\Program Files (x86)\LP\26F3\163F.tmp

Filesize
99KB

MD5
ac9682380b3c94ffe32d0aca1a53d53e

SHA1
7c1485c7d2720d433306ff5c86fd944331bc4447

SHA256
cd0e4cd89551d243fd1365950d28470d56a09f29e834d13288f6ca1aff4c1626

SHA512
978eaa0bfd1c62d4e7eaac0470ed29dfcc683aef8b087fbd76caf1218d700010d1bb2ae1d155811665e52c842326bef1779d082161b72c8c25c8e6167ea12eb9

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
279KB

MD5
c97ff984c8643e9a8404592683cd7162

SHA1
9f0e2724d047c794b4457fb799cc6e96438a7292

SHA256
1c5529c199a8a1744246396812a2e90c847ca78a6a438592010fe1b0573fdf32

SHA512
f18481023fc45bc8618dd2aa481d806d1c799b5a635ed2ad64be0ed3f26470330973bfa04a56349f8cc473761bab1ea1780d07c7d77b5895b4aef0219e7a4bf6

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
75b22a8d8c9506770d8057d0d83f671e

SHA1
0900300539c9010d6fea83227af3011ee235d75f

SHA256
b7f10c8e266aca99a9ceb638b223baa01b0e1f648373d72f6abd0a6b5a994fee

SHA512
21cc89df746f48214eb979670222aef168c84bd2543ecde401ad4695278db07617676db4c07d6669bc8a70eb65c769777e964ab915a638cceae4bc69a4057e65

Download Submit
memory/1052-175-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1708-43-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1812-269-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2012-278-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2340-40-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2340-30-0x0000000002C90000-0x00000000030A5000-memory.dmp

Filesize
4.1MB

Download
memory/2500-425-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-178-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-273-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-106-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2532-2-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2532-0-0x0000000002F60000-0x0000000003375000-memory.dmp

Filesize
4.1MB

Download
memory/2532-29-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2532-1-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2532-28-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2604-197-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2604-111-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2604-44-0x0000000002E90000-0x00000000032A5000-memory.dmp

Filesize
4.1MB

Download
memory/2604-279-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2604-354-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download