cycbot | 4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
Size

1.9MB
MD5

8c450ef4b459456b4b037dbb321619a5
SHA1

3a84b8c946a16accb03cb173c87ab465fbbd1194
SHA256

4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be
SHA512

8a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e
SSDEEP

49152:ydOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:IOjtMaWZUxUfT35X06si

Score

10^/10

cycbot pony backdoor credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2704-42-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2740-148-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1728-152-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2740-217-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/308-221-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2740-319-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2740-387-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 7 IoCs

pid	Process
2740	dwme.exe
2704	dwme.exe
2812	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
1728	dwme.exe
308	dwme.exe
2808	7EF0.tmp

Loads dropped DLL 14 IoCs

pid	Process
2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\95C.exe = "C:\\Program Files (x86)\\LP\\1A3A\\95C.exe"	dwme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QD3onG4am6W7E88234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D1ivD3onFaHsJdL = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucS2ibD3pGaHsKf8234A = "C:\\Users\\Admin\\AppData\\Roaming\\gS2ibF3pn5Q6W7R\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2168-2-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2168-26-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2168-28-0x0000000000400000-0x0000000000914000-memory.dmp	upx
behavioral1/memory/2812-39-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2704-42-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2168-139-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2740-148-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1728-152-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2596-155-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2740-217-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/308-221-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2596-224-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2596-308-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2740-319-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2596-327-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2596-337-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral1/memory/2740-387-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LP\1A3A\7EF0.tmp	dwme.exe
File created	C:\Program Files (x86)\LP\1A3A\95C.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\1A3A\95C.exe	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7EF0.tmp

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080030e0087223c01a8526a02ce5b8304e2466502cc1b3001a30000004b0000000000000000000000000000000000000058b0b0b0b0000000adfffffcffecf6d5ffb6dc58ffc7df50ffd0e160ffd5e185ffbdd76cffb1cc64ff344e02c00306000d000000000000000000000000000000a5ffffffff000000c01a19008d788901dbdde84efdedf487ffcbdc29ffa5bd17ffa8c23bffbdd16eff89a231f6242801bb0000004b0000000000000000000000c0ffffffff7f7f7fffccd873ffdbe244fff7fa6effdee858ffcbd75cffe9ecceffb9ca76ff8daf2affb1bd6cff708338ff101601a50000000000000000000000c0ffffffff000000a6adb80aeafafbf7fffefdb3ff808827c9090b00550000004d0001004e494e0dac8d9b33ff7b8647ff252d05cf0000000000000000000000c0ffffffff000000a6b7bb01f2fefefbfffeffe9ff27250c750101004e0000004d0000004d1618016c787e06ff6d6f2dff2f3203e20000000000000000000000c0ffffffff030303a8746b02d3d1cc59fddcd268ff7c6d25bf030400500000004d0000004d615625b3b2aa6aff9c966dff252702cf0000000000000000000000e07f7f7fff030303d6413a0a99a1983bf2ded59afebaa956f56d5f2db8241e0e7266582ab4aa9856f3ccc49bfe969063ff121501a60000004b00000080000000c07f7f7fff0e0e0eb014130db2473a0cc9baa76af6ddd0aaffcfbd8fffbeaa70ffcbba8affdccdaeffad9d69f4afa888ff0003008100000080ffffffffffffffffffffffffffffffffffffffff191613b8584217b0aa8d58f0d2c49ffce6dcc7fed3c49efbab8e58ef473208a5f7f6f3ff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc3e3e3e78524531976c501ec4785a15da6c511ec4514531973e3f3e79ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133815939457484000"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698140141790000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f0a60cf6c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000f034cceec2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2740	dwme.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	2348	msiexec.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe
Token: SeShutdownPrivilege	2072	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2596	Cloud AV 2012v121.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2596	Cloud AV 2012v121.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe
2072	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
2812	Cloud AV 2012v121.exe
2812	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe
2596	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2740	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	30
PID 2168 wrote to memory of 2740	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	30
PID 2168 wrote to memory of 2740	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	30
PID 2168 wrote to memory of 2740	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	30
PID 2168 wrote to memory of 2704	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	31
PID 2168 wrote to memory of 2704	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	31
PID 2168 wrote to memory of 2704	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	31
PID 2168 wrote to memory of 2704	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	31
PID 2168 wrote to memory of 2812	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	32
PID 2168 wrote to memory of 2812	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	32
PID 2168 wrote to memory of 2812	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	32
PID 2168 wrote to memory of 2812	2168	JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe	32
PID 2812 wrote to memory of 2596	2812	Cloud AV 2012v121.exe	33
PID 2812 wrote to memory of 2596	2812	Cloud AV 2012v121.exe	33
PID 2812 wrote to memory of 2596	2812	Cloud AV 2012v121.exe	33
PID 2812 wrote to memory of 2596	2812	Cloud AV 2012v121.exe	33
PID 2740 wrote to memory of 1728	2740	dwme.exe	36
PID 2740 wrote to memory of 1728	2740	dwme.exe	36
PID 2740 wrote to memory of 1728	2740	dwme.exe	36
PID 2740 wrote to memory of 1728	2740	dwme.exe	36
PID 2740 wrote to memory of 308	2740	dwme.exe	37
PID 2740 wrote to memory of 308	2740	dwme.exe	37
PID 2740 wrote to memory of 308	2740	dwme.exe	37
PID 2740 wrote to memory of 308	2740	dwme.exe	37
PID 2740 wrote to memory of 2808	2740	dwme.exe	39
PID 2740 wrote to memory of 2808	2740	dwme.exe	39
PID 2740 wrote to memory of 2808	2740	dwme.exe	39
PID 2740 wrote to memory of 2808	2740	dwme.exe	39

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\A9146\7D81A.exe%C:\Users\Admin\AppData\Roaming\A9146
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\464C9\lvvm.exe%C:\Program Files (x86)\464C9
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:308
- - C:\Program Files (x86)\LP\1A3A\7EF0.tmp
    "C:\Program Files (x86)\LP\1A3A\7EF0.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2808
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Roaming\gS2ibF3pn5Q6W7R\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\gS2ibF3pn5Q6W7R\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A9146\64C9.914

Filesize
300B

MD5
79fc18557d026ab468892c6106633ad4

SHA1
8786bd927c5f97c44f776a29efa8300a3ee3e03e

SHA256
af53c8b9634fda741431ba598511f095c3c520a9529da103370a10ad0194c3b5

SHA512
84a4233efd7be69570f068a8ee5896208c2578c99a1683f711e68ce4f612f6d455b2e89618fe9dd6e3f91c1da68589e024f1307c27d19ff9febc814dee3ae85d

Download Submit
C:\Users\Admin\AppData\Roaming\A9146\64C9.914

Filesize
696B

MD5
4f6dc49499df64dd6599a5723703b523

SHA1
8d095b6055fb96c9ee7f042ffb9d232aa8e6a6a5

SHA256
31b194134661f88549b2263a80f07e9cd7b24e5be7488a9260cf5590d9855b22

SHA512
77709fd8a9b427174ec03fb1a1c5600d9d56f0a08c110c32042374452da17f599355c3c7cdbb395b028686b02f7f9e0688ebd6ceddbb30de99f809e79b4112fd

Download Submit
C:\Users\Admin\AppData\Roaming\A9146\64C9.914

Filesize
1KB

MD5
42bf2dcb117bb0d85c775016e00330c6

SHA1
5137088ccc567320055693e9ce107797efa3aeb7

SHA256
297f60ed99994647ebe5c714bda74d7a547db207367bf35ab4e924680ca27a6d

SHA512
fd36c2cbba246e4f16c33b093f6b37654aef157481892d4031c81e1ae7172a981fcc786627b95efd4bd6f7460beb40e7a9bdacc611c61a87975f81915890d5dc

Download Submit
C:\Users\Admin\AppData\Roaming\A9146\64C9.914

Filesize
1KB

MD5
4dd5188bb5a743ecd187397cbc4deff2

SHA1
95f7b1659bc5d9a28a8535efeb9f828831a77eba

SHA256
ebc1e0d2a5d2ddd2468ba277701e869a1d9c3f57ac7013bbc8ae5879010c3bc9

SHA512
9b58bbf9a8722096b50781b6a70fb60f3e803d227d452f2519fbbd534626d6e613d1b33ac1852dc8f706a01d197b7e5b587c4ae4a8fa8f5d22953fc13ac7f2a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk

Filesize
1KB

MD5
c46896dabbedb7001bc7f8b129368826

SHA1
ccb3bfdd216e26b542d76243ce16dd8a19963f99

SHA256
f8a1a2fb3288bda49c7fdb347bf66b756e471dd3047883c60f6076171b4169e2

SHA512
1da3516f4d64b8ada0b381e88bf92a586010ace14ffc6f5f9991be67c83a59b4e65ef62fa9003e384c25751e6bb012bd6a1c00ddfea4952200a6263178e2d70e

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
832714f96516cf127eeccbc92937c0bb

SHA1
ad7aef128242e0ff0d1b91e984d87fcea41cf07e

SHA256
4af5eff1f446f1d6a4f7bbcb3ad39b6dcf76bbede7819deb4f13822733f99506

SHA512
9a5649f2aa84344465905eebcc8f300f01690217971eae91548b023c70e3cc0bb1a02d4fe6bea48be7c86d78d7e29e08db99e12454b2eb9f3e045e9a4a883413

Download Submit
C:\Users\Admin\AppData\Roaming\w5sQJ6dEKf\Cloud AV 2012.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\Desktop\Cloud AV 2012.lnk

Filesize
1KB

MD5
48720c52fe63052e0944e22a0fb4decc

SHA1
0493a546116713e9fc73d99a055508bddd1a971f

SHA256
9bf143f08bd5438cb8a6d55b49a3216f948abfaf427a72946b0c4754e36bd832

SHA512
ca94814a81804064e764f960dd40294609f13207b01bcff81609f3953b0b20e816dfde753c4488ce2b7a475e722568646e6651ae587f07e1d6c2f7fb93f4c97e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
da92c10d26caf9083835ea4e9c9d39d9

SHA1
5248b4965b5b3aeca5dd12f59dcae26d0186b052

SHA256
ccf1bd93891bb2e22540ef9baf3acc2e7a30c46054cb12b08567a43ac3fdc8ae

SHA512
28e848434bba3facc9a92a9d6fdfc1257261d01a818ef389db3b37c0103451d51c62efa6ac41453f42de22e685d7f55d00405a63dec8dd2928e856fb18becff5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f48cfb5db32cdf990f35a5ef9146dbf4

SHA1
09b4f991e17aba915160f6c153c6d78e2d4aa4d9

SHA256
72439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397

SHA512
385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301

Download Submit
\Program Files (x86)\LP\1A3A\7EF0.tmp

Filesize
99KB

MD5
ac9682380b3c94ffe32d0aca1a53d53e

SHA1
7c1485c7d2720d433306ff5c86fd944331bc4447

SHA256
cd0e4cd89551d243fd1365950d28470d56a09f29e834d13288f6ca1aff4c1626

SHA512
978eaa0bfd1c62d4e7eaac0470ed29dfcc683aef8b087fbd76caf1218d700010d1bb2ae1d155811665e52c842326bef1779d082161b72c8c25c8e6167ea12eb9

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
279KB

MD5
c97ff984c8643e9a8404592683cd7162

SHA1
9f0e2724d047c794b4457fb799cc6e96438a7292

SHA256
1c5529c199a8a1744246396812a2e90c847ca78a6a438592010fe1b0573fdf32

SHA512
f18481023fc45bc8618dd2aa481d806d1c799b5a635ed2ad64be0ed3f26470330973bfa04a56349f8cc473761bab1ea1780d07c7d77b5895b4aef0219e7a4bf6

Download Submit
\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
8c450ef4b459456b4b037dbb321619a5

SHA1
3a84b8c946a16accb03cb173c87ab465fbbd1194

SHA256
4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be

SHA512
8a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e

Download Submit
memory/308-221-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1728-152-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2168-28-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2168-0-0x0000000002DD0000-0x00000000031E5000-memory.dmp

Filesize
4.1MB

Download
memory/2168-139-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2168-26-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2168-1-0x0000000000400000-0x0000000000914000-memory.dmp

Filesize
5.1MB

Download
memory/2168-2-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2596-155-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2596-327-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2596-224-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2596-43-0x0000000002B60000-0x0000000002F75000-memory.dmp

Filesize
4.1MB

Download
memory/2596-337-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2596-308-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2704-41-0x00000000021D0000-0x00000000022D0000-memory.dmp

Filesize
1024KB

Download
memory/2704-42-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2740-387-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2740-319-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2740-148-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2740-217-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2808-324-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2812-39-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/2812-29-0x0000000002E30000-0x0000000003245000-memory.dmp

Filesize
4.1MB

Download