cycbot | fe2351aab904fea18c08e92562655bbcad81344f2d76694a706b579ef4d23344

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
Size

1.9MB
MD5

d50a85152019db21ee360180ae5980d4
SHA1

02dae0d2a018c4fd32d12113bb6a38bf7ac63f70
SHA256

fe2351aab904fea18c08e92562655bbcad81344f2d76694a706b579ef4d23344
SHA512

0d411a13a2fea9687e2b234e42ea6991832e1c02e90b40f7d79bf6b49a793432a6e555c6becbb38dd2f33f0d22751de94bfca92eee85aac8869460d23f1e8c22
SSDEEP

49152:IyC6Gn7rPcqIKaxPqAlTRo122ep1C+D/cHmfg6s:Il6GMdP0aTRYTep8+7cUF

Score

10^/10

cycbot pony backdoor credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1808-43-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2052-143-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2952-153-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2052-226-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1940-230-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2052-332-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2052-402-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 7 IoCs

pid	Process
2052	dwme.exe
1808	dwme.exe
2280	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2952	dwme.exe
1940	dwme.exe
1984	6519.tmp

Loads dropped DLL 14 IoCs

pid	Process
2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
2280	Cloud AV 2012v121.exe
2280	Cloud AV 2012v121.exe
2052	dwme.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2052	dwme.exe
2052	dwme.exe
2052	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vK8fRL9hTqUeIrO8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cgTXqjYCeIrOtAu = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\i2obF3pmGa8234A = "C:\\Users\\Admin\\AppData\\Roaming\\XF4pmG5sQ6E8R9T\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\533.exe = "C:\\Program Files (x86)\\LP\\A50E\\533.exe"	dwme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-2-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2364-29-0x0000000000400000-0x0000000000914000-memory.dmp	upx
behavioral1/memory/2364-28-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2280-40-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/1808-43-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2052-143-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2952-153-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2252-156-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2052-226-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1940-230-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2252-236-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2252-324-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2052-332-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2252-338-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2052-402-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\A50E\533.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\A50E\533.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\A50E\6519.tmp	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6519.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133781041517364000"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698139981962000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000035696969690000007000000080000000800000008000000080000000800000008000000080000000800000004b0000000000000000000000000000000000000058b0b0b0b0000000adffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000000000000000000000000000000000000a5ffffffff000000c0000000800000008000000080ffffffffffffffff00000080000000800000008000000080000000800000004b0000000000000000000000c0ffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000800000000000000000000000c0ffffffff000000a60000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000c0ffffffff000000a60000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000c0ffffffff030303a80303034f0000004d0000004d0000004d0000004d0000004d0000004d0000004d0000004dffffffff000000800000000000000000000000e07f7f7fff030303d6101010580f0f0f580a0a0a54030303500000004d0000004d0000004d0000004d0000004dffffffff000000800000004b00000080000000c07f7f7fff0e0e0eb00e0e0eb0141414901c1c1c611c1c1c611717175d0c0c0c550202024e0000004d0000004dffffffff0000008000000080ffffffffffffffffffffffffffffffffffffffff141414b428282869282828692828286928282869262626681818185e08080853ffffffff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e783e3e3e783e3e3e783e3e3e783e3e3e783e3e3e783e3e3e78ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0030000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e8070c004100720067006a0062006500780020002000330020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000201923d42149db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e8070c004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000e0838fd32149db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\Registry\User\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	Cloud AV 2012v121.exe
2280	Cloud AV 2012v121.exe
2280	Cloud AV 2012v121.exe
2280	Cloud AV 2012v121.exe
2052	dwme.exe
2052	dwme.exe
2052	dwme.exe
2052	dwme.exe
2052	dwme.exe
2052	dwme.exe
2280	Cloud AV 2012v121.exe
2280	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeSecurityPrivilege	3004	msiexec.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
1912	explorer.exe
2252	Cloud AV 2012v121.exe
1912	explorer.exe
1912	explorer.exe
2252	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
2280	Cloud AV 2012v121.exe
2280	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe
2252	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2052	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2052	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2052	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2052	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	31
PID 2364 wrote to memory of 1808	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	32
PID 2364 wrote to memory of 1808	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	32
PID 2364 wrote to memory of 1808	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	32
PID 2364 wrote to memory of 1808	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	32
PID 2364 wrote to memory of 2280	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	33
PID 2364 wrote to memory of 2280	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	33
PID 2364 wrote to memory of 2280	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	33
PID 2364 wrote to memory of 2280	2364	d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe	33
PID 2280 wrote to memory of 2252	2280	Cloud AV 2012v121.exe	35
PID 2280 wrote to memory of 2252	2280	Cloud AV 2012v121.exe	35
PID 2280 wrote to memory of 2252	2280	Cloud AV 2012v121.exe	35
PID 2280 wrote to memory of 2252	2280	Cloud AV 2012v121.exe	35
PID 2052 wrote to memory of 2952	2052	dwme.exe	36
PID 2052 wrote to memory of 2952	2052	dwme.exe	36
PID 2052 wrote to memory of 2952	2052	dwme.exe	36
PID 2052 wrote to memory of 2952	2052	dwme.exe	36
PID 2052 wrote to memory of 1940	2052	dwme.exe	38
PID 2052 wrote to memory of 1940	2052	dwme.exe	38
PID 2052 wrote to memory of 1940	2052	dwme.exe	38
PID 2052 wrote to memory of 1940	2052	dwme.exe	38
PID 2052 wrote to memory of 1984	2052	dwme.exe	41
PID 2052 wrote to memory of 1984	2052	dwme.exe	41
PID 2052 wrote to memory of 1984	2052	dwme.exe	41
PID 2052 wrote to memory of 1984	2052	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\E8858\733A5.exe%C:\Users\Admin\AppData\Roaming\E8858
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\580CA\lvvm.exe%C:\Program Files (x86)\580CA
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Program Files (x86)\LP\A50E\6519.tmp
    "C:\Program Files (x86)\LP\A50E\6519.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1984
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1808
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\d50a85152019db21ee360180ae5980d4_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Roaming\XF4pmG5sQ6E8R9T\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\XF4pmG5sQ6E8R9T\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E8858\80CA.885

Filesize
696B

MD5
fecdc2e0ff03aeef878634c26fd23818

SHA1
c1a83c5032f0a56c0ba3e4651dfbe0cfe4897e0a

SHA256
41e165c15bb20040015c59da5bad7136a397411863c7a52cb4f5805e0c812ca1

SHA512
480c7d6c54edff2457035851ab0a18b1e0c7d641a9986ee82d533be114d114ce5e204bb100d16adcb90b52af3723243a78cf9d85561c55f17b4759a8957fe851

Download Submit
C:\Users\Admin\AppData\Roaming\E8858\80CA.885

Filesize
1KB

MD5
ae65a104b891108c845bbd5a6ebdcbe6

SHA1
160cfe0403b8737563e692e518cdf0ebed2bae38

SHA256
4d2ceba9b5767fdcdb78d5cdbeaa11faa3ce370af31f669162342f5efa7dc0c2

SHA512
9911db93610f1097b0dc54d16f595db00229a2ec371fe3bccd851b65f0fbe2ae9eac4b5cd53c2b33dede9a7d3ee4c456441e2c4d95221ac63fd06eb2181b6e8f

Download Submit
C:\Users\Admin\AppData\Roaming\E8858\80CA.885

Filesize
1KB

MD5
3c854e0b12e66f9e2b32f42189f3247b

SHA1
dc70e7b4680d4dcb03845821bb1f39bf50ba632c

SHA256
1e05abd9147ba4734757e5fd25a639e5c77249674f7c7b3a89fa29e5ccd9c1c9

SHA512
7fd62abfa5a3ac0172cb9aaca7f583c41b2d51fb04f655c8a586f4989542f3244b59ed1f89738c28ecaf42cc62d1e1ab6d64bb4161de478f1b9e3e452ec1a338

Download Submit
C:\Users\Admin\AppData\Roaming\E8858\80CA.885

Filesize
300B

MD5
99dadcdd7015907d61136cafc1d8621e

SHA1
9daa49f8e83f9eee12f4fba851916edf68167db9

SHA256
b03c86ce5c657044abd2021bfe0e22034e03f825548db944ec8ad2161b2d61db

SHA512
2c7fac516f171b17532028f542df854ab95450adb13620e55ed88f059796984b0ba372ba2e16900d3285d48feeb7bb372cd4c6fbe4e35bb3f114b993036e5332

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Filesize
1KB

MD5
1590a662cd66daa4e3d590131819de41

SHA1
3783c82f2137ff6a6e2fd913b1ceea7063867c39

SHA256
6a123a8435e40ddbced76a9079cd52ddf6dc195c5fa4b0e5804d21cf2dc885f2

SHA512
61e73b039f23b751f553c80fa420f2718940206a18a92e0acff127e061e73bffb4bb8741d5391ceca18f81010971579cff744df14c7f176aab6cda8594a7d84b

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
dd7c41e37943b9e4555309c58062e5ed

SHA1
1041cdc3d37e7d7ef64de4df88ab74bd7a9024ac

SHA256
51eb0fb866268a644bef19c1e884b1f930f06f68fbf9aef4dd97c66e722820dc

SHA512
60714f898ac0e1c7852bf961ba44f3de0913a4b0eeb0107bb112d33f7cb1a38819696e54ebc632b54f4f8c49beab1abd2fc7b1e10575b316dbed6168d2cd6e3d

Download Submit
C:\Users\Admin\AppData\Roaming\xhYXwkUVeOtPyAi\Cloud AV 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk

Filesize
1KB

MD5
6384d798e31854b91db919fce03bdc4a

SHA1
5555e8f14018c6e2158cda426271d037c11df213

SHA256
de03d2af8b2b783afd37fe7d9419d5c2df9d8b8001d113d77ce1ff4c40774864

SHA512
08aed7991dffdc5ab8c5959b865734708c7aec2b139d64857a317e9a9c409ba44746e0062c5918bce9cd746c17840c454ab08c4a0e7b381eb2f96d973e7bded4

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
400ae8ef6820124f5711f92820a2bb5e

SHA1
50bd21eea6145992ce1e9d541746529e9065b10a

SHA256
9e3e13194a15f48289c6fba64bba7bc1b6b25cc127261a3304c2adb409cb9527

SHA512
108e1cc9b18c262f8bb86fdf438f3591e5d43dafb70c1547b0c57e1e4972ddbfe3b33a8e90de786d356781903453a9f240d437ac44fffe2f092811f2456dac88

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
240d7cae8e391e295306e8fc0cfc9572

SHA1
f4abdf41e5c7731d7db779e93f6cb2a45e23ad57

SHA256
f81f7e0e06da058fd81b70380a06e7d101ae3822d7619ee162293785b34163e7

SHA512
ca9a5ef1e1b16eca9c385ecc9cff75eb30e4e1bda996e154365c5f370950d094c676b4ce0c0f48b97b89ec915a5329f2bbac5ef464396ce91b139159a9db63ce

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f48cfb5db32cdf990f35a5ef9146dbf4

SHA1
09b4f991e17aba915160f6c153c6d78e2d4aa4d9

SHA256
72439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397

SHA512
385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
da92c10d26caf9083835ea4e9c9d39d9

SHA1
5248b4965b5b3aeca5dd12f59dcae26d0186b052

SHA256
ccf1bd93891bb2e22540ef9baf3acc2e7a30c46054cb12b08567a43ac3fdc8ae

SHA512
28e848434bba3facc9a92a9d6fdfc1257261d01a818ef389db3b37c0103451d51c62efa6ac41453f42de22e685d7f55d00405a63dec8dd2928e856fb18becff5

Download Submit
\Program Files (x86)\LP\A50E\6519.tmp

Filesize
99KB

MD5
cb853d0e676be7b23903aa89175d8d69

SHA1
2066462d42c45133df60c5e5f9e8956373d191b0

SHA256
7291b34528651c542a4e09036bb828f27c9f75c134d2be3aed3e1c5a0db5fe20

SHA512
bf96f4c8511929ef380562004211a72821330465538db6da3367cbce387092384265e0bfd4ab54e62b742d68d668ff1457f43381d7a770fd3027f3bab1f36038

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
279KB

MD5
535b08b0737a0524b133be6401338383

SHA1
bf6a1bf46d7b14aaa6602dffa2c57d6e4d3825cb

SHA256
7a4b21348910d59745ab13eb5f31d172bb78e065cbe2bfe75ecc79ac1bccddf3

SHA512
67202f0b15d6bb89b5dff4dbf6246e6aaa449ba8056966680ab14fe8ba974fda25c351b6dd0b4aafb0eedc2f28b0a9e0eaf7aebb1d127569c836e8c2b22f6521

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
d50a85152019db21ee360180ae5980d4

SHA1
02dae0d2a018c4fd32d12113bb6a38bf7ac63f70

SHA256
fe2351aab904fea18c08e92562655bbcad81344f2d76694a706b579ef4d23344

SHA512
0d411a13a2fea9687e2b234e42ea6991832e1c02e90b40f7d79bf6b49a793432a6e555c6becbb38dd2f33f0d22751de94bfca92eee85aac8869460d23f1e8c22

Download Submit
memory/1808-43-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1808-42-0x0000000002260000-0x0000000002360000-memory.dmp

Filesize
1024KB

Download
memory/1940-230-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1984-337-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2052-332-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2052-226-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2052-402-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2052-143-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2252-324-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2252-338-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2252-156-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2252-236-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2252-44-0x0000000002E60000-0x000000000327D000-memory.dmp

Filesize
4.1MB

Download
memory/2280-40-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2280-30-0x0000000002DD0000-0x00000000031ED000-memory.dmp

Filesize
4.1MB

Download
memory/2364-2-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2364-29-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2364-28-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2364-0-0x0000000002E80000-0x000000000329D000-memory.dmp

Filesize
4.1MB

Download
memory/2364-1-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2952-153-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download