cycbot | 3b31c8cce7b8a24dd175a06ffd23aa21a2eb37415fe8a7b0876ecb8865f6a9fc

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
Size

2.8MB
MD5

142cce6c8e06744bc0cbd5425c309f4f
SHA1

16c16dcc37cf688cdbc96c9e3be126e06a4a3942
SHA256

3b31c8cce7b8a24dd175a06ffd23aa21a2eb37415fe8a7b0876ecb8865f6a9fc
SHA512

b42b832bad0130af5b4e104883e92d87c647fd55a8ee166cf761632ab5b6ee43a0afea8622f133df73defcf86326e109d17cb523c47e9deb5964e5c5a9f805c1
SSDEEP

49152:/2W7bHP6W59tEEz3R/N9KZV8ora4hkz4HVXZ4:eov6Stpz35OZCj4hkz41J

Score

10^/10

cycbot pony backdoor credential_access defense_evasion discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 7 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2164-50-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1972-126-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2208-130-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1972-203-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2004-207-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1972-313-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1972-387-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	dwme.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
defense_evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Protection 2011v121.exe

Executes dropped EXE 7 IoCs

pid	Process
1972	dwme.exe
2164	dwme.exe
1856	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2208	dwme.exe
2004	dwme.exe
2592	48C3.tmp

Loads dropped DLL 14 IoCs

pid	Process
3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
1856	AV Protection 2011v121.exe
1856	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OYXwkUVelBz0c1v8234A = "C:\\Windows\\system32\\AV Protection 2011v121.exe"	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZtzPNycA1v2b4m5 = "C:\\Users\\Admin\\AppData\\Roaming\\dwme.exe"	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wUVrlOBtx0c1v8234A = "C:\\Users\\Admin\\AppData\\Roaming\\pVrlONtxPuSiDoG\\AV Protection 2011v121.exe"	AV Protection 2011v121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9FB.exe = "C:\\Program Files (x86)\\LP\\4676\\9FB.exe"	dwme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	AV Protection 2011v121.exe
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3044-5-0x0000000000400000-0x0000000000918000-memory.dmp	upx
behavioral1/memory/3044-32-0x0000000000400000-0x0000000000913000-memory.dmp	upx
behavioral1/memory/3044-31-0x0000000000400000-0x0000000000918000-memory.dmp	upx
behavioral1/memory/1856-44-0x0000000000400000-0x0000000000918000-memory.dmp	upx
behavioral1/memory/2164-50-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1972-126-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2208-130-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2828-133-0x0000000000400000-0x0000000000918000-memory.dmp	upx
behavioral1/memory/1972-203-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2004-207-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2828-210-0x0000000000400000-0x0000000000918000-memory.dmp	upx
behavioral1/memory/2828-305-0x0000000000400000-0x0000000000918000-memory.dmp	upx
behavioral1/memory/1972-313-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2828-319-0x0000000000400000-0x0000000000918000-memory.dmp	upx
behavioral1/memory/1972-387-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\4676\9FB.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\4676\9FB.exe	dwme.exe
File opened for modification	C:\Program Files (x86)\LP\4676\48C3.tmp	dwme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48C3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwme.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\LastAdvertisement = "133820863345384000"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133698139981962000"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400300010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000000410000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c00000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000004b818181c0ffffffff00000080000000000000000000000000000000002e2e2e8a0000004b000000000000000000000000000000000000000c0000004b818181c0ffffffffffffffff0000008000000000000000000000000000000000b7b7b7b73838388e00000045000000000000004b0000008000000080818181c0ffffffffffffffffffffffff0000008000000000000000000f0f0f810000004242424242ecececf40b0b0b810000000e00000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002381818181646464a20000004200000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005c000000276c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000809d9d9dc10000005c0c0c0c0cecececf40000007a0c0c0c0cecececf40000007a00000080ffffffff808080ffffffffffffffffffffffffffffffffff00000080a4a4a4c50000005f0c0c0c0cecececf40000007a0f0f0f0fe8e8e8f10000007800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000005f0000002a6c6c6c6c939393bb0000005730303030bababad30000006800000080ffffffff808080ffffffffffffffffffffffffffffffffff000000800000000000000000e5e5e5ed191919830000002384848484646464a2000000420000004b00000080000000807e7e7ebfffffffffffffffffffffffff0000008000000000000000000f0f0f810000004245454545ecececf40a0a0a800000000e00000000000000000000000b0000004b7e7e7ebfffffffffffffffff0000008000000000000000000000000000000000c0c0c0c03636368d00000045000000000000000000000000000000000000000b0000004b7e7e7ebfffffffff0000008000000000000000000000000000000000272727880000004b0000000000000000000000000000000000000000000000000000000b0000004b7e7e7ebf0000004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000003f0000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000003569696969000000700000008000000080000000801c26019e435d02ca597103dd455602c71c24019d0000004b0000000000000000000000000000000000000058b0b0b0b0000000adfffffffff3f7efffbac886ffa5b843ffbfce70ffc6d177ffbec969ffa6b745ff374301bd0406000e000000000000000000000000000000a5ffffffff000000c000020081263004be9aa545f6b0bf50ffa5b437ff94a313ffa6b033ffb3bf53ff919e39f6242f01bd0000004b0000000000000000000000c0ffffffff7f7f7fffc8c8b8ff708337ffa4ba5dff90a623ffc2c87fffeaecd2ffc2c77fff94a225ffb3b869ff78813fff0f1301a40000000000000000000000c0ffffffff000000a6252501bb687928f9b2b168ff414a03aa0001004e0000004d0000004d434503a8818917ff6f7633ff232302cd0000000000000000000000c0ffffffff000000a62e4502d96a851afe809806ff1818016c0000004d0000004d0000004d1716016c8b7f19ff696523ff2f2a02e10000000000000000000000c0ffffffff030303a82a3e02c4a3b44efccdd161ff766f25bf0000004d0000004d0000004d6a5e24b6baa862ff918459ff271f02cd0000000000000000000000e07f7f7fff030303d61f1c0c89889d3af3f3f0bfffdcd954fa867c2ac528230e757e6d2bbfc9b855f7d9ce9afe928159ff120d01a30000004b00000080000000c07f7f7fff0e0e0eb00e0e0eb03c4a0acddddc6bfcf9f9a8fffcfd97fffffff2fff3f397ffece8a8ffc8b56af7b5a888ff0000008000000080ffffffffffffffffffffffffffffffffffffffff1b1913b9817911c8e8ea53fdfffffdfffffefafffdfcf4ffd6d454f9705b07b9f7f5efff0000008000000080ffffffff808080ff808080ff808080ffffffffff1f1f1fbc44433c7c717723b5a9b30ee7d0c309f3a5a70ee2707224b244433c7cffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff333333ca66666694666666946666669466666694666666946666669466666694ffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff7f7f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000008000000080ffffffff808080ffffffffff808080ffffffffff000000c000000080000000800000008000000080000000800000008000000080000000800000004b0000004b0000008000000080ffffffff00000080000000800000004b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004b000000800000004b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8ff0000f0ff0000e0f30000c0f1000000c0000000c000000000000000000000000000000000000000c0000000c00000c0f10000e0f30000f0ff0000f8ff0000c0030000c0010000c0000000c0000000c0000000c0000000c0000000c000000000000000000000000000000000000000000000000000000001ff0000c7ff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010003000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eac000000000000002000000e80709004100720067006a0062006500780020002000320020004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f0d0b4c4c2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000090a03cbec2fdda0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	AV Protection 2011v121.exe
1856	AV Protection 2011v121.exe
1856	AV Protection 2011v121.exe
1856	AV Protection 2011v121.exe
1856	AV Protection 2011v121.exe
1856	AV Protection 2011v121.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
1972	dwme.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeSecurityPrivilege	2868	msiexec.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
2828	AV Protection 2011v121.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
2828	AV Protection 2011v121.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
1856	AV Protection 2011v121.exe
1856	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe
2828	AV Protection 2011v121.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1972	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	30
PID 3044 wrote to memory of 1972	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	30
PID 3044 wrote to memory of 1972	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	30
PID 3044 wrote to memory of 1972	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	30
PID 3044 wrote to memory of 2164	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	31
PID 3044 wrote to memory of 2164	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	31
PID 3044 wrote to memory of 2164	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	31
PID 3044 wrote to memory of 2164	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	31
PID 3044 wrote to memory of 1856	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	32
PID 3044 wrote to memory of 1856	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	32
PID 3044 wrote to memory of 1856	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	32
PID 3044 wrote to memory of 1856	3044	JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe	32
PID 1856 wrote to memory of 2828	1856	AV Protection 2011v121.exe	34
PID 1856 wrote to memory of 2828	1856	AV Protection 2011v121.exe	34
PID 1856 wrote to memory of 2828	1856	AV Protection 2011v121.exe	34
PID 1856 wrote to memory of 2828	1856	AV Protection 2011v121.exe	34
PID 1972 wrote to memory of 2208	1972	dwme.exe	37
PID 1972 wrote to memory of 2208	1972	dwme.exe	37
PID 1972 wrote to memory of 2208	1972	dwme.exe	37
PID 1972 wrote to memory of 2208	1972	dwme.exe	37
PID 1972 wrote to memory of 2004	1972	dwme.exe	38
PID 1972 wrote to memory of 2004	1972	dwme.exe	38
PID 1972 wrote to memory of 2004	1972	dwme.exe	38
PID 1972 wrote to memory of 2004	1972	dwme.exe	38
PID 1972 wrote to memory of 2592	1972	dwme.exe	41
PID 1972 wrote to memory of 2592	1972	dwme.exe	41
PID 1972 wrote to memory of 2592	1972	dwme.exe	41
PID 1972 wrote to memory of 2592	1972	dwme.exe	41

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dwme.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dwme.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\dwme.exe
  "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\6FFAF\4FA46.exe%C:\Users\Admin\AppData\Roaming\6FFAF
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\dwme.exe
    C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\AFE82\lvvm.exe%C:\Program Files (x86)\AFE82
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2004
- - C:\Program Files (x86)\LP\4676\48C3.tmp
    "C:\Program Files (x86)\LP\4676\48C3.tmp"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2592
- C:\Users\Admin\AppData\Roaming\dwme.exe
  C:\Users\Admin\AppData\Roaming\dwme.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\AV Protection 2011v121.exe
  C:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Roaming\pVrlONtxPuSiDoG\AV Protection 2011v121.exe
    C:\Users\Admin\AppData\Roaming\pVrlONtxPuSiDoG\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6FFAF\FE82.FFA

Filesize
300B

MD5
a6f222fb19f8352588b3523eabbd8439

SHA1
bc9bd8b8ca215064a186c4c02cdbafc3e4e14ecf

SHA256
449c83ea61f571f4d55f7d0f9be6fe260b4848cc15ad9581925007722ad886d1

SHA512
894b1de690da484a4c3b915f2eec342c7bf0f873979113b96c7c4521f9fcc6be9c90d845b5576fcb2c6e1f6ccc74d22a5b64b60613333a8f23926c9c57a3fe1c

Download Submit
C:\Users\Admin\AppData\Roaming\6FFAF\FE82.FFA

Filesize
696B

MD5
f6bcd2e98d99b4289e812c0f68ee67a7

SHA1
724f1aa381520c90ceb8b21dd882d3978ab4a7c5

SHA256
aa1dfaa36dd6ec28ce1cde2213ce6c716e9ceb190bec364fed214470fbe4b6ef

SHA512
a4ee680a42326a834d62b072c34b9b50d554e1d969e7da6db21863495d171fb68d9b18c04847dffd253eab9ff512278859b917c658bd8daef53e2bf17df12fc9

Download Submit
C:\Users\Admin\AppData\Roaming\6FFAF\FE82.FFA

Filesize
1KB

MD5
2f8f36ad2893b3aa15b2505e0ab84852

SHA1
50853e3c479ce68b5f844fbe3e9ae5a445641afa

SHA256
c34040ff85608d8610efcc79ac4b0b8ad47e754acf0c560263d3b443b844da17

SHA512
b9355f1d506e42715e6517638afe508177c0d420f028666fb34fe11eddb6f999642be86a70a5170bd9f1e1531daa7076f88dc5011196373a84da84ed237ca36c

Download Submit
C:\Users\Admin\AppData\Roaming\6FFAF\FE82.FFA

Filesize
1KB

MD5
ab1daa625093e6ae36fd27445134a628

SHA1
f20617b572a98b8a161d97e7e37dbd8a71855926

SHA256
ee580633017802b39cc6c6bc80dff91d27dde3e15034589ff10cafc4920f4f1f

SHA512
20629e7d4486389ed8172bff07bb71b52b3cad7185004ebecf3c7c7210f38e66bde8d528b5ba08ee8ef282efc9e14ec564ad6200a2332c3c042428012050ca16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk

Filesize
1KB

MD5
4d7824c7b967b44aa03307850ea70e5e

SHA1
253f3335554ece94de222478f9310c4d6b6fb4c1

SHA256
93611a3cb9698a769b7e487a034721b0000ca76a0aa96730ef3b07647b8a492b

SHA512
02d3a88f3943a30a0b14980921535d71015df03dbb2dc649b88813dae08e563d6d5cda7252a4c63d190a2a0915e39114749883046c0a2449f8451f4c65a6dcb3

Download Submit
C:\Users\Admin\AppData\Roaming\T8fRL9hTXjCkBzN\AV Protection 2011.ico

Filesize
12KB

MD5
bb87f71a6e7f979fcb716926d452b6a8

SHA1
f41e3389760eaea099720e980e599a160f0413b9

SHA256
14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

SHA512
e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
612B

MD5
1aea64224ad4c47e16807a0b8d2aa8c8

SHA1
6bd38f9ad375bc69cc543fc7cbc67776349c51b3

SHA256
6841fbe3958457f72d10e053f9c71af14a81ec8c3c59f89ad49bd83f07317a5f

SHA512
d0671e4357f47abacdfc2751d98d55b96784142412fb50c97204248d23a4128482bb2b3dcf0bf1a0a27a24d90da0a1c59c59c03ced06913a65edc7f948df1ce7

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
445eb2e572edb405b1d5c1c66445d04f

SHA1
df2ff7d14ac0711add180ea2e6aa930b5e3c3739

SHA256
96ea084957232e7e64e2f68627d26e39977a58bc95bcdeedd1dfb434d5a853e6

SHA512
1fcc8b856eee1cc03c27221173ba0222295c8923ce9cd29373ef8716ac0270dbe976634818885d22453dae7c49b79df75b5c6073c5d1ce6d2ca43649c0991e8c

Download Submit
C:\Users\Admin\Desktop\AV Protection 2011.lnk

Filesize
1KB

MD5
57e78f8fb427715f2ec59f464d0b19c0

SHA1
b84273e49ee264c0eb7a92e2425de8fd9631292d

SHA256
fb6835c38376ce8129a43fcf479c67aa47a17fd84713cdcfe6bff1b827324388

SHA512
cabdec09240e522391ee5765b46b51da38ef2f5160e19c8cd72e91b4cede6e9f1cffd6c3adb69d7c62c593a72e3ceabb57605f45e250a8fab8eaf91890d8675b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
70c88eb94034e2bdabbb8fcc9e6b3b52

SHA1
33c9dd9841075c8a8aadff2a6b3a79965e1c8561

SHA256
1bc6f75ae872c2e0f78bd7d509a1d980a193e4359c5322e4e8c9908079b6e536

SHA512
2734b3ba4989c99d93232b7bfa3baea6940a1814368c8f8e186cfd17dc16905401a07e577bc1a81e628da6c1c821521242815597724ac8b815094bc40e1a4943

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
9ed0d41b83bb4df1e262e5335a497b96

SHA1
a579e8831f44342470e54fe077b3d1a91f00dbce

SHA256
e1cc6687293d2b51f45ba3dcc580801b2551bbb8494e27855cdc0d11a58e238c

SHA512
cf49215e13f720760f4c901d241a5fd8e93ab059fd5e36c85e050e0350da422d293d394bad3f0f3dbc9c826c9a0b0b00532b31f943b5d0d3b7aacda77ec7613b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
a21810aa0eafee2dc2ac23453ffc848d

SHA1
7be020fc084b81b4f0621b23bc5996f6ddd37316

SHA256
173c100259b671b27f2391437a2472aec8d82eda56ef2184c5f8d77c6b02f43d

SHA512
af381e407f7ec338623a5269ab49126fd9522d6601e9e85003297fcd815d3392eeac7ecd8f8f137a9a56b02ef369881b8436006e8038f2469663bead8c44d10a

Download Submit
\Program Files (x86)\LP\4676\48C3.tmp

Filesize
99KB

MD5
0d57642cffb4a4de227c0021ece3ec81

SHA1
ce9d649dbcaf9e418064118bc26cd26c5fa50034

SHA256
45fd7c3592c44074a862a22e362f2afbf4e718c0fcb13afbff95f4f7bdfe9c1d

SHA512
340a0548cfdb6ab092b082d187262dcaf36c00c0b1ef2b03e3b3588105a139a2e2d55021f2151d2042b807da0a6bd7e4790fa3fa590e599d2a90fe9a8748a3fd

Download Submit
\Users\Admin\AppData\Local\Temp\dwme.exe

Filesize
279KB

MD5
ddf94a6f09746b6ef1460d2462f43df8

SHA1
03a5ceea7acb5f4b7addad1f2da8585e917301d1

SHA256
24ed799d4ca47889707fb2f1377bc96ebde9bd4ea4dac6fe3d8cabea161d56e6

SHA512
d09c2fed2bfc862b93496d747535e0dd9b0b5c46aa48b8b4169a75e30b676ded8f723abae73af156284926071d83dd16ed6c16e7190f9914cc67c9b990a22b46

Download Submit
\Windows\SysWOW64\AV Protection 2011v121.exe

Filesize
2.8MB

MD5
142cce6c8e06744bc0cbd5425c309f4f

SHA1
16c16dcc37cf688cdbc96c9e3be126e06a4a3942

SHA256
3b31c8cce7b8a24dd175a06ffd23aa21a2eb37415fe8a7b0876ecb8865f6a9fc

SHA512
b42b832bad0130af5b4e104883e92d87c647fd55a8ee166cf761632ab5b6ee43a0afea8622f133df73defcf86326e109d17cb523c47e9deb5964e5c5a9f805c1

Download Submit
memory/1856-35-0x0000000003000000-0x000000000341C000-memory.dmp

Filesize
4.1MB

Download
memory/1856-44-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1972-126-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1972-313-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1972-387-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1972-203-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2004-207-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2164-49-0x0000000002200000-0x0000000002300000-memory.dmp

Filesize
1024KB

Download
memory/2164-50-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2208-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2592-318-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2828-210-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/2828-51-0x0000000002FC0000-0x00000000033DC000-memory.dmp

Filesize
4.1MB

Download
memory/2828-133-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/2828-319-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/2828-305-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/3044-0-0x0000000002480000-0x000000000288E000-memory.dmp

Filesize
4.1MB

Download
memory/3044-3-0x0000000003190000-0x00000000035AC000-memory.dmp

Filesize
4.1MB

Download
memory/3044-4-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/3044-5-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/3044-32-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/3044-1-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/3044-31-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download