pony | 645397aa16ec0291f74945cc4d4a535d7a8b26b1ac11629be76a91f50124c658

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
Size

1.9MB
MD5

8d823732d7c08e9d006ad28dcfcd9853
SHA1

50bd2a3e3d9cb967c8aa9fd72bb0a2626d350da3
SHA256

645397aa16ec0291f74945cc4d4a535d7a8b26b1ac11629be76a91f50124c658
SHA512

9be430e058188fd78d2134eb002f55c8206f1b16edd9f9d27f1cdcf18a1c840202ddfabd7cfa6012c64467f426db58d5ba76f961844f09859cbade5dc72aada3
SSDEEP

49152:6yH9zPqoEUP/QsGDFxUGXET3pb2uQUr3ZAK6SQKS:RHZhgFxUfT3gu3r3ZAn

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 7 IoCs

pid	Process
1932	dwme.exe
2400	dwme.exe
1740	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
1792	dwme.exe
1528	dwme.exe
680	3044.tmp

Loads dropped DLL 14 IoCs

pid	Process
1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
1740	Cloud AV 2012v121.exe
1740	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\u2ibD3pnG8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SP0ucS1ib3n4m6W = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IvS2ibF3pGaHdKf8234A = "C:\\Users\\Admin\\AppData\\Roaming\\KaQJ6dWK8R\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\28A.exe = "C:\\Program Files (x86)\\LP\\5BF4\\28A.exe"	dwme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-2-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1700-27-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1700-28-0x0000000000400000-0x0000000000914000-memory.dmp	upx
behavioral1/memory/1740-38-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2400-42-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1932-113-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1792-125-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2812-128-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1932-194-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1528-200-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2812-206-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2812-284-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1932-306-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2812-311-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1932-372-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\5BF4\28A.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\5BF4\28A.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\5BF4\3044.tmp	dwme.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3044.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133649261030136000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080020200812e3201a4757e03d6b2b713efaaaa04e6696e02c2111100580000000000000000000000000000000000000058b0b0b0b0000000adfffffffff6f7f3ffbec887ffb7c23effd8de60fffafcb4fffafbbdffeef168ff919d07de242c0035030300030000000000000000000000a5ffffffff000000c000000080232b01bc8f9a34f5c3ca51ffc9ce32fff6f7a6ffffffd3fffdfe98fff2f675ff748d09dc0f15005b0000000000000000000000c0ffffffff7f7f7fffc7c9b7ff797e3effafb35dff9fa724ffcccd6fffececd0ffdadb9cffe2e82cfff5f77bffbecc36ff233001b00000000000000000000000c0ffffffff000000a6252501bb676b2af8848617ff434303a70303004f0101004e0b0b0055737d02c3d0dc24ffb6c92cff2e4e02d70000000000000000000000c0ffffffff000000a62e2b02d46a6324fe837709ff1715016a0000004d0000004d0000004d2a2d027ab9c63effc0ce70ff51781bec0000000000000000000000c0ffffffff030303a8282101bb877e4ef9b1a361ff605426b20001004e0000004d0002004e666025b8bbb866ff9da357ff2a3802d30000000000000000000000e07f7f7fff030303d61d1c0c887b7047edd0c49ffead985bf365592bb624200e73625d2ab7a3a155f5e1d8bbff939459ff141701a60000004b00000080000000c07f7f7fff0e0e0eb00e100eb1342b0cc5b19f6cf5d8cba8ffc7ba86ffbdb77affcac794ffd8d7b3ffa8a76af5abaa83ff0002008100000080ffffffffffffffffffffffffffffffffffffffff161613b8574318b1ac915af0d5c8a4fbe0ddc2fed4d2aefcb0aa70f3433c08a9f7f6f3ff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e78504830986b531dc5795714d968591bc74c512e9e3e413e7affffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0000000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fac000000000000002000000e80707004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000060ce72cb4ed1da0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000501d48c14ed1da0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133751457723250000"	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	Cloud AV 2012v121.exe
1740	Cloud AV 2012v121.exe
1740	Cloud AV 2012v121.exe
1740	Cloud AV 2012v121.exe
1740	Cloud AV 2012v121.exe
1740	Cloud AV 2012v121.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
1932	dwme.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe
Token: SeShutdownPrivilege	1748	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2812	Cloud AV 2012v121.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2812	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2812	Cloud AV 2012v121.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2812	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
1740	Cloud AV 2012v121.exe
1740	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1932	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1932	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1932	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1932	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2400	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2400	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2400	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2400	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	31
PID 1700 wrote to memory of 1740	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	32
PID 1700 wrote to memory of 1740	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	32
PID 1700 wrote to memory of 1740	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	32
PID 1700 wrote to memory of 1740	1700	8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe	32
PID 1740 wrote to memory of 2812	1740	Cloud AV 2012v121.exe	33
PID 1740 wrote to memory of 2812	1740	Cloud AV 2012v121.exe	33
PID 1740 wrote to memory of 2812	1740	Cloud AV 2012v121.exe	33
PID 1740 wrote to memory of 2812	1740	Cloud AV 2012v121.exe	33
PID 1932 wrote to memory of 1792	1932	dwme.exe	36
PID 1932 wrote to memory of 1792	1932	dwme.exe	36
PID 1932 wrote to memory of 1792	1932	dwme.exe	36
PID 1932 wrote to memory of 1792	1932	dwme.exe	36
PID 1932 wrote to memory of 1528	1932	dwme.exe	38
PID 1932 wrote to memory of 1528	1932	dwme.exe	38
PID 1932 wrote to memory of 1528	1932	dwme.exe	38
PID 1932 wrote to memory of 1528	1932	dwme.exe	38
PID 1932 wrote to memory of 680	1932	dwme.exe	41
PID 1932 wrote to memory of 680	1932	dwme.exe	41
PID 1932 wrote to memory of 680	1932	dwme.exe	41
PID 1932 wrote to memory of 680	1932	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\43091\AB65B.exe%C:\Users\Admin\AppData\Roaming\43091
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\91B01\lvvm.exe%C:\Program Files (x86)\91B01
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1528
- - C:\Program Files (x86)\LP\5BF4\3044.tmp
    "C:\Program Files (x86)\LP\5BF4\3044.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:680
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Roaming\KaQJ6dWK8R\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\KaQJ6dWK8R\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\43091\1B01.309

Filesize
300B

MD5
9c7c7d3db2cab7eef7e1b475d6af8eb7

SHA1
b133ef9e3e6531d0743ed9f0449ed4dc3279a60a

SHA256
db0c36887c57029394f58141a7975f30db7983f544096fe2be52b4495976bea1

SHA512
6da77d6c0adb9ae91de89c330db3cfe8c0ebdbaf6e3ee626f685556ac3f33d1dd0ad0c4236677cf48794abbb4bc97d3bfc5748397f6e7315a85895388951f4b6

Download Submit
C:\Users\Admin\AppData\Roaming\43091\1B01.309

Filesize
696B

MD5
4abeee2dbcba03b77ca7bd1eae867a38

SHA1
0a007f97d9f12154bb849ea1159c9d68ddf9d02e

SHA256
47671ffd8b713c3f2ff4c82c5f34afeb230daf16c33b91f5c7b9a210576a02c8

SHA512
c698aea34764f1e337345f2bf1e82381105e8923dbc415b96f5f7b6420bdf810f09220b05e1526add911561b7a78861edba2af5df694b9b0823b9642d88ba5a9

Download Submit
C:\Users\Admin\AppData\Roaming\43091\1B01.309

Filesize
1KB

MD5
cd7f5a60f85573daf753d149466f49cc

SHA1
9363e9f7eb07e206f28c0b0884b41e1f25d501db

SHA256
3d1e172cf40b3d2c95659b87c21fda39ce1191e359212d5fee6fa0a63abe718c

SHA512
c1184c048ca1b29f2c2a425aff8232a991760be1cf7586e94af2dc9e89e6bfdaae9b4038043b57410d80560a03050feedc809d80c34314e172bf15db91daf0d9

Download Submit
C:\Users\Admin\AppData\Roaming\43091\1B01.309

Filesize
1KB

MD5
34499513802070318e0a234fa3bc8f90

SHA1
ac6744607503d7c71284ab61ce8943ff84c6a9ba

SHA256
3fa48aedbfaa9cea16a312e86d08deee7282b4e4e413d0ee7e0014bd90744b36

SHA512
65bb5f15143646d630859fdecefe1b389dacae7083242cda7a1c1357ed18c063f31f2d6c740ae98e3305eb00ce9e7618928a30a8b8cec7e602b3fae793d060d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Filesize
1KB

MD5
22f3354be9fcbfad013655590c56c7ba

SHA1
2a222895b628d4c6669b24bba63ae44def7ceabd

SHA256
af83565241e16053d1e51e3f67d936ad6f388a3e7f3ab180da90c2e84a4b8bc6

SHA512
3c2902220a6f8377b00f8ea9c67ae10f162ddeed701357c543e042ff7dc6f3c9d4d767182ca51bc0b96b5125e802cd40cd4ef8c35e4c465149970128629f4c1e

Download Submit
C:\Users\Admin\AppData\Roaming\OYXwkUVelBz0c1v\Cloud AV 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
612B

MD5
ec82cfa14478215ea8e412907780c381

SHA1
c8fdedb60a0c3a83d0fb72abe115be264dc89338

SHA256
b159995872d74fbe1d54f561f5702ed75f26c19e85caa51599abb76f10ad68bf

SHA512
76f700b0d8a5247dc188ccefd674b7d0ee1842a06f00f64c780599b7757bd3f6e87a0f0c1c887947cacdb8fbda5d0b935bf91007ff794bf821125d46bf15a1b5

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
bc84802c6569135b0613b518ed3b674d

SHA1
9e6c1d1e8ecbe8e8506624ca45f4e88576c608d8

SHA256
8ef22020d76c6d83941be931a9434d40a4aa42b3c7f711197e838bd91c1455cf

SHA512
9ab4bff4fb9c4c192fcd8f5e5c75a6428f714d048c7f5f5c6af3e81e36fb1354736432d0af169d162dfb50a315cdfa15240e64cb15d3b7648e3d1a8a76049af7

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk

Filesize
1KB

MD5
94978bc3dde772a609ec092df42e692f

SHA1
678f099a1027536bbe6f6f6fb4fb6625dbf71e7b

SHA256
145a23cfe9b98b167237e03c82e78cc736011efa701bdb2c455234a875efa4bb

SHA512
a12ea2d3c8dc3b35ed72a15f888b41179f555ad480040568df3c69ce84df581c99e5917da632a2e7fc449ee70a6c3df368b35441c2734d4f16e33f6704173b2e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
36dfa60cf7f29a2dc9490d564ca144b9

SHA1
eb5317b4e6c4d9d7685f971f4fa1dcc1574bbffb

SHA256
7c0d3bd7425c1e8c3ee7eb43008e581ff18f857dc596fc15e137b85b11cf2e30

SHA512
05f0372c838e7a5de8b0c8f70986f93d267be0d9d700e04c833c56f1ce12b632fefc46d5d108762a6543910a50c64798cc69aaa64dedcc675878e59df717586c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
240d7cae8e391e295306e8fc0cfc9572

SHA1
f4abdf41e5c7731d7db779e93f6cb2a45e23ad57

SHA256
f81f7e0e06da058fd81b70380a06e7d101ae3822d7619ee162293785b34163e7

SHA512
ca9a5ef1e1b16eca9c385ecc9cff75eb30e4e1bda996e154365c5f370950d094c676b4ce0c0f48b97b89ec915a5329f2bbac5ef464396ce91b139159a9db63ce

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
a13948b289b4cd583cf97b68ffa38269

SHA1
b49e3bf18153a9481b0017f5a860bc924ae5800d

SHA256
af9f8ff34151c9bbe699c4735739a726fa3eb8629401418258723073f4f4ee05

SHA512
76aa99a5241f08de5d8ea5215cadab68adee79e8cec8ef5f9974e3e830a77c11241df7a9787fae7b140ff4029b8701c3cf61563d8c337e5a5b1cc5e9b8a1797f

Download Submit
\Program Files (x86)\LP\5BF4\3044.tmp

Filesize
99KB

MD5
b6c44c70136fcbed1aace964c4e98e9d

SHA1
4f7961087e09cdf03efe4fe0b7f2243499504628

SHA256
75d10ab1bea3e7cb80e3c0048b79cf0496c88b885ff853d6f430c71272030bcd

SHA512
801762bbc8ffa62fd49dadb75bfa0ff31f73ee4b712c91d23885f0d4fbc45eebbc30f2ab84e04ce375e8a269bb2a1c8514c4dd9cbd50f42e5960987c719092da

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
279KB

MD5
28f68e83db55f7bea9da2240ed0fb82e

SHA1
f921166658168cd0149fc4bf192ed37a2281ab15

SHA256
41a4cfba62cc917f591523b5adefa926afb6bfe54aba4d2b72ac6f98253d9b58

SHA512
40976449c4a135a2375ef875f0d0e7c0a3f612786ab7901a49b5def17348fdfc57ad0b6fb7e83ea01714d8c95f1154c27502572f1905bfde18d818ffe58fcbc6

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
8d823732d7c08e9d006ad28dcfcd9853

SHA1
50bd2a3e3d9cb967c8aa9fd72bb0a2626d350da3

SHA256
645397aa16ec0291f74945cc4d4a535d7a8b26b1ac11629be76a91f50124c658

SHA512
9be430e058188fd78d2134eb002f55c8206f1b16edd9f9d27f1cdcf18a1c840202ddfabd7cfa6012c64467f426db58d5ba76f961844f09859cbade5dc72aada3

Download Submit
memory/680-312-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1528-200-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1700-27-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1700-28-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/1700-0-0x0000000002D70000-0x0000000003185000-memory.dmp

Filesize
4.1MB

Download
memory/1700-2-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1700-1-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/1740-29-0x0000000002CA0000-0x00000000030B5000-memory.dmp

Filesize
4.1MB

Download
memory/1740-38-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1792-125-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1932-194-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1932-372-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1932-113-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1932-306-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2400-42-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2400-41-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/2812-284-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2812-206-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2812-311-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2812-128-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2812-43-0x0000000002B30000-0x0000000002F45000-memory.dmp

Filesize
4.1MB

Download