pony | 72ed6850b21610aad10f6e8b079401cc2498d65c07983c3c4db740153be464a8

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
Size

1.9MB
MD5

76a0f318ccfd9fc95316e17f8e37b027
SHA1

2cea245a4e1de4749d98c550cc84d8cb7ce9569a
SHA256

72ed6850b21610aad10f6e8b079401cc2498d65c07983c3c4db740153be464a8
SHA512

9da5e433bcbcec953849ed2d7f56349786ae900cc4d2dfa333064f2e3251bf32026dca7c747cfc5dbab18ee2950175a9a478a09613168d096634f1d02fcf83ae
SSDEEP

49152:6BH9zPqoEUP/QsGDFxUGXET3pb2uQUr3ZAK6SQKS:KHZhgFxUfT3gu3r3ZAn

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 7 IoCs

pid	Process
1628	dwme.exe
2084	dwme.exe
1916	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
1744	dwme.exe
600	dwme.exe
1560	3DFA.tmp

Loads dropped DLL 14 IoCs

pid	Process
2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
1916	Cloud AV 2012v121.exe
1916	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A42.exe = "C:\\Program Files (x86)\\LP\\1DB2\\A42.exe"	dwme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hfRL9hTXqUeIrOy8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hXqjYCekIrOtAuS = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pzPNycA1uDoFpGs8234A = "C:\\Users\\Admin\\AppData\\Roaming\\pivD2onF4m5Q7E8\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-2-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2504-28-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2504-29-0x0000000000400000-0x0000000000914000-memory.dmp	upx
behavioral1/memory/1916-39-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2084-43-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1628-119-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1744-123-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2716-126-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1628-194-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/600-198-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2716-201-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2716-290-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1628-312-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2716-317-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1628-373-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\1DB2\3DFA.tmp	dwme.exe
File created	C:\Program Files (x86)\LP\1DB2\A42.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\1DB2\A42.exe	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3DFA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080000000801c22019d455402c75b6e03dc455402c71c22019d0000004b0000000000000000000000000000000000000058b0b0b0b0000000adfffffffff7f7f3ffbfc789ffa9b645ffbdc665ffc8d078ffbdc764ffa9b544ff373f01bc0404000c000000000000000000000000000000a5ffffffff000000c000000080222a01bb8d9c32f6b0bf50ffa1ac2aff97a013ffa3ab2bffb5bb4fff919834f5242801bb0000004b0000000000000000000000c0ffffffff7f7f7fffc4cab5ff708038ffb4be6effa5af43ffbfc77cffececd4ffc4c680ff9fa126ffb0b255ff7a7c39ff131401a40000000000000000000000c0ffffffff000000a6223401bf6d883ef9769617ff474f0bad0002004e0000004d0000004d4e4c03aba3a017ff959331ff403c02d30000000000000000000000c0ffffffff000000a62c4306d9a4a880fe728808ff1717016c0000004d0000004d0000004d2b270177b2a809ffb0ac1cff736e02eb0000000000000000000000c0ffffffff030303a8272901bd99966efabbb279ff5f5925b40002004e0000004d06060051a49b77d2fffff2fff3f1b0ff877e01e30000000000000000000000e07f7f7fff030303d61d1e0c8a70703bedccca9dffa5a855f5777438c23d390e83897e2cc6f7f5b1fefffff7ffe9e67fff5d5401c00000004b00000080000000c07f7f7fff0e0e0eb00e0e0eb0342a0cc4aab06cf7e6e7c8ffd9daa0ffdcd76ffff0ec88fffcfbb6fff3f097fed7d537ff0000008000000080ffffffffffffffffffffffffffffffffffffffff171c12ba58671fbfc2c284f7d5d79ffdf7f5d7ffefed9efee6df55fb92860cccf4f4caff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f201fbc3c463c7d4d5b2ba3686619cb8d8f29e6858216d56b6628ab4e4d3884ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133745490474278000"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698140014454000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000070664fddc2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000908ea9d6c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	Cloud AV 2012v121.exe
1916	Cloud AV 2012v121.exe
1916	Cloud AV 2012v121.exe
1916	Cloud AV 2012v121.exe
1916	Cloud AV 2012v121.exe
1916	Cloud AV 2012v121.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
1628	dwme.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeSecurityPrivilege	2656	msiexec.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe
Token: SeShutdownPrivilege	1076	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
2716	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
2716	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
1916	Cloud AV 2012v121.exe
1916	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe
2716	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1628	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1628	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1628	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1628	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2084	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2084	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2084	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2084	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	31
PID 2504 wrote to memory of 1916	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	32
PID 2504 wrote to memory of 1916	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	32
PID 2504 wrote to memory of 1916	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	32
PID 2504 wrote to memory of 1916	2504	76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe	32
PID 1916 wrote to memory of 2716	1916	Cloud AV 2012v121.exe	33
PID 1916 wrote to memory of 2716	1916	Cloud AV 2012v121.exe	33
PID 1916 wrote to memory of 2716	1916	Cloud AV 2012v121.exe	33
PID 1916 wrote to memory of 2716	1916	Cloud AV 2012v121.exe	33
PID 1628 wrote to memory of 1744	1628	dwme.exe	37
PID 1628 wrote to memory of 1744	1628	dwme.exe	37
PID 1628 wrote to memory of 1744	1628	dwme.exe	37
PID 1628 wrote to memory of 1744	1628	dwme.exe	37
PID 1628 wrote to memory of 600	1628	dwme.exe	38
PID 1628 wrote to memory of 600	1628	dwme.exe	38
PID 1628 wrote to memory of 600	1628	dwme.exe	38
PID 1628 wrote to memory of 600	1628	dwme.exe	38
PID 1628 wrote to memory of 1560	1628	dwme.exe	41
PID 1628 wrote to memory of 1560	1628	dwme.exe	41
PID 1628 wrote to memory of 1560	1628	dwme.exe	41
PID 1628 wrote to memory of 1560	1628	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\225D4\1F41D.exe%C:\Users\Admin\AppData\Roaming\225D4
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\D47DD\lvvm.exe%C:\Program Files (x86)\D47DD
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:600
- - C:\Program Files (x86)\LP\1DB2\3DFA.tmp
    "C:\Program Files (x86)\LP\1DB2\3DFA.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1560
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\76a0f318ccfd9fc95316e17f8e37b027_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Roaming\pivD2onF4m5Q7E8\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\pivD2onF4m5Q7E8\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\225D4\47DD.25D

Filesize
300B

MD5
43192c13b5235ef0dafa09af76248b29

SHA1
e3f841a67c42690a25d055732566061b3ab02485

SHA256
8bbd70568c0b874170c1824d29c3f3161522be50d372d16c638d7324e0dcd8b7

SHA512
c2c45ddc62b3614c1378084062ccf80e7a78e7090a8430cbdb5127648bc16554f03ba834ac0e429bc8c2de248b88870cf852acb5b1f0b9c6d55e3c47c47a47d0

Download Submit
C:\Users\Admin\AppData\Roaming\225D4\47DD.25D

Filesize
696B

MD5
ceeb982f6fd7cbde489b08dac5a5a632

SHA1
d9bd1c855eaf5e877c17d38d52e8fdbed55f0729

SHA256
28f7f5d2f402b39e01e3d9409b6c7aca933061bfb8a2160604088adaba4d859d

SHA512
a78230817cb6d9a25156ac109d334b57f2be8b943a993d894a5d7758c0b8dfee2ba0cc78165867c48fa66b2ac9dd20df748e089cd3022bb301068916690fe8ad

Download Submit
C:\Users\Admin\AppData\Roaming\225D4\47DD.25D

Filesize
1KB

MD5
e429ba2bb15b0a0ce3bf15e1dc18b470

SHA1
0c9470c09244beeeafc9dbf7bbe106f0d5bc52b6

SHA256
dcfa2e4d712a507d837bec4ee2305943498d0dd787a906cd58ce81b5a5d15bac

SHA512
2c11b08cbdca364cdf58021201963c78025fd1fda0fcd96bdc99e87199d57f8d9d020a74931f4d6f2d05a0e420623b446e9d69829784dbff14411dd53495b77a

Download Submit
C:\Users\Admin\AppData\Roaming\225D4\47DD.25D

Filesize
1KB

MD5
2d0a45cfa7099f3bdb96acbe8f66e2dd

SHA1
025b847657b387aa8b324511cbbab77bf8b922c7

SHA256
533d58828f4aece44c32c4b0dc5a9dc7f29d8c9001944eba1e003b7270a92794

SHA512
65abf30270578db4551edb414af0cbaaaea9ea14988a92620faacedecde9fdd59b6e8e756cfe20bf2fa0fe7d9f30ef2f48a60326998611fd43249216ded8f45b

Download Submit
C:\Users\Admin\AppData\Roaming\IYCwkIVrlNx0c1b\Cloud AV 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Filesize
1KB

MD5
655feccf0d75243637378fb488059d11

SHA1
82820eccd4fc9aafd255b76ba0413e57614d0798

SHA256
86d76a7bd1e6a4301780390db462bf47f2092a532228661b0e0203f4848484ef

SHA512
e2f98b1c9166b7dd9b4517426cb66ba26d52383467aa184485ef876fdcfcc4356bb696722ea565db95bc4922475e998f76669220ad79bd5f5628bec6e6174ea0

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
fb7ebe41cbeb985fef9ad7b1a20cddca

SHA1
222780aa8a09458f72925b98c41f559fa2facf73

SHA256
30f8c98c6fa8a6a6c705a5c00bbf93bccdcd9fa01c686529bebe571d6dffb086

SHA512
77ed3e441321bce095f328b6237778f65deccd77dfe4fd29d2f8f5ff8fe11280746a0afacdf2ab336a82dd125a3dfec05009d440451ab6c1049cd8c2da832c09

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk

Filesize
1KB

MD5
f014d39aa68722d4bfd9d00aefcdbd6d

SHA1
a250e78ec523282603896155efcc006601f2f520

SHA256
389a69d31a9b6c910e41a883a00033c59b905beb7bdbfffb215eb6af056ffa66

SHA512
03308c9e020d387bfc299bb8b14c48bd4837c118346daf09ae0540a2be832a2f57710dd1576aa2284c11033c03aa886bc6e8c9a23badd43d26de5ea761351928

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9a41c412a6161808ebfe4416f986434

SHA1
6de0fe06279e2a5925b930afb003e7c56653dbfa

SHA256
81cb1d7b63ab1bbea6be12c2f86ea9be60421f51e772e2a0e90f6730ff6af330

SHA512
2ff84f9cedad0fdc2f84d65c2a9fd1d7d35c0939ae26bb13768a8660c32b8807c0de2d680339ca5e63f8576597f0ed377ac8435884376426789ca58c2326f3ea

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6cbcb3063ff02ef7cd4b2790c0a83c27

SHA1
3449da45ddb98f35590b84231536ce86275c380d

SHA256
de71b7fd05f0a8b844e7aab0ab41b144c84c1524397d88875c01d94e12825e0d

SHA512
c2e95aeddb91458f31cd92500cfee9753ff9bfbe2549a715ef4826771ac7a808aafba2ac8d4acfd4af6c0fb242f3689de3630b39c41594831129e9c76ebd0a05

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
da92c10d26caf9083835ea4e9c9d39d9

SHA1
5248b4965b5b3aeca5dd12f59dcae26d0186b052

SHA256
ccf1bd93891bb2e22540ef9baf3acc2e7a30c46054cb12b08567a43ac3fdc8ae

SHA512
28e848434bba3facc9a92a9d6fdfc1257261d01a818ef389db3b37c0103451d51c62efa6ac41453f42de22e685d7f55d00405a63dec8dd2928e856fb18becff5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7189bfae8d2a9c76c2f3a3eac2df23d9

SHA1
3731fa337fb60b367fb83c1e2fcee83cd8dc5e66

SHA256
23491126826d8f49d982115714857dafd2b56fec0ea8a499c2112e4b7bc84dab

SHA512
11e37b2e643acf5efa90a24638fe93acc500200029b5607d5bf98c4208b0e5b0604b59929951634ce592b55b29bfc2789ddf43fc5c97e03860e054eb082a81e1

Download Submit
\Program Files (x86)\LP\1DB2\3DFA.tmp

Filesize
99KB

MD5
b6c44c70136fcbed1aace964c4e98e9d

SHA1
4f7961087e09cdf03efe4fe0b7f2243499504628

SHA256
75d10ab1bea3e7cb80e3c0048b79cf0496c88b885ff853d6f430c71272030bcd

SHA512
801762bbc8ffa62fd49dadb75bfa0ff31f73ee4b712c91d23885f0d4fbc45eebbc30f2ab84e04ce375e8a269bb2a1c8514c4dd9cbd50f42e5960987c719092da

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
279KB

MD5
28f68e83db55f7bea9da2240ed0fb82e

SHA1
f921166658168cd0149fc4bf192ed37a2281ab15

SHA256
41a4cfba62cc917f591523b5adefa926afb6bfe54aba4d2b72ac6f98253d9b58

SHA512
40976449c4a135a2375ef875f0d0e7c0a3f612786ab7901a49b5def17348fdfc57ad0b6fb7e83ea01714d8c95f1154c27502572f1905bfde18d818ffe58fcbc6

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
76a0f318ccfd9fc95316e17f8e37b027

SHA1
2cea245a4e1de4749d98c550cc84d8cb7ce9569a

SHA256
72ed6850b21610aad10f6e8b079401cc2498d65c07983c3c4db740153be464a8

SHA512
9da5e433bcbcec953849ed2d7f56349786ae900cc4d2dfa333064f2e3251bf32026dca7c747cfc5dbab18ee2950175a9a478a09613168d096634f1d02fcf83ae

Download Submit
memory/600-198-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1560-318-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1560-319-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1628-312-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1628-119-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1628-373-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1628-194-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1744-123-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1916-30-0x0000000002E90000-0x00000000032A5000-memory.dmp

Filesize
4.1MB

Download
memory/1916-39-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2084-43-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2084-42-0x0000000002160000-0x0000000002260000-memory.dmp

Filesize
1024KB

Download
memory/2504-29-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2504-0-0x0000000002E80000-0x0000000003295000-memory.dmp

Filesize
4.1MB

Download
memory/2504-28-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2504-2-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2504-1-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2716-290-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2716-44-0x0000000002F50000-0x0000000003365000-memory.dmp

Filesize
4.1MB

Download
memory/2716-126-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2716-201-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2716-317-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download