{
	"id": "aafddb8c-6ba0-4a92-a3fa-e6a7f3774270",
	"created_at": "2026-04-29T08:21:33.575012Z",
	"updated_at": "2026-04-29T10:42:10.038532Z",
	"deleted_at": null,
	"sha1_hash": "d9fa88e203620b118beba3d52f03924acecae87d",
	"title": "And you get a POS malware name...and you get a POS malware name....and you get a POS malware name....",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 998490,
	"plain_text": "And you get a POS malware name...and you get a POS malware\r\nname....and you get a POS malware name....\r\nArchived: 2026-04-29 07:56:20 UTC\r\nThis morning I woke up to find Trend Micro/Trend Labs had a new post on an \"old undetected PoS malware\"\r\nwhich they have called \"PwnPOS\". I was interested at first, but this looks like just another case of randomly\r\nassigning names to malware and/or threat actors. Unfortunately for the folks at Trend, who usually put out pretty\r\ngood work, the scraper in question (which is an executable file that I have personally seen with many names, but\r\nwe will refer to it as \"wnhelp.exe\") is old. Very, very old. In fact, the date/time stamp embedded into the file itself\r\nis from 2010.\r\nwnhelp as seen in PEStudio 8.46\r\nThe scraper is very basic, it looks through memory looking for Track data, and when it finds matching data, it\r\nsaves it to a file \"perfb419.dat\" which is under the Windows/System32 folder. There are sometimes legitimate files\r\nwith similar names under this path, no doubt it was an effort for the attackers to try to make the data blend in. \r\nhttps://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html\r\nPage 1 of 6\n\nExample of \"track\" data collected in perfb419.dat. \r\nThe scraper itself does not have an active exfiltration mechanism, so either an additional file(s) is needed to exfil\r\nthe collected data or the attacker(s) can remotely access the system and send the file out (email, ftp, file sharing\r\nsite, etc). wnhelp uses a \"service\" persistence mechanism in order to stay running on the machine, so looking at\r\njust CurrentVersion/Run in the Registry will not allow you to detect the file. The service is named \"Windows\r\nMedia Help\", and the information that is collected from the Live Response Collection using SysInternals\r\nautorunsc is listed below:\r\nwnhelp embedded under the \"Windows Media Help\" service\r\nThe exfiltration methods listed in the Trend article \"might\" be new, but I cannot be certain as I personally do not\r\nhave access to those files (yet, I am working on that). I am leery of how new these files may be though, simply\r\nbased on the liberties that Trend appears to have taken with the original wnhelp file. Additionally, of all the files\r\nlisted in the Trend post, the most recent compile time is listed as 2012, with most of the compile times dating back\r\nto 2010. None of these files appear to be \"new\" at all. \r\nhttps://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html\r\nPage 2 of 6\n\nNot \"new\" or \"under the radar\"\r\nBack in 2013, the wnhelp sample was uploaded to malwr, among other sites, to use their automated malware\r\nanalysis tool. \r\nmalwr results from 2013\r\nAdditionally, a Google search for the md5 hash (c86327222d873fb4e12900a5cadcb849) shows that, at the very\r\nleast, a user of the domain \"systemexplorer.net\" posed a question about wnhelp back in 2012. I did not dig through\r\nall of the results, but 83 search results, with several entries on the first page relating to \"malware\" in one form or\r\nanother, is hardly flying \"under the radar\".\r\nhttps://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html\r\nPage 3 of 6\n\nsystemexplorer.net query of wnhelp from 2012\r\nUPDATE (March 6, 2015): As @maldr0id pointed out, the wnhelp file was submitted to virustotal back on\r\nOctober 2, 2012, with a 3/42 detection ratio. Interestingly enough, Trend Micro was one of the three that detected\r\nthe file as malicious.  The same file was uploaded to virustotal on February 16, 2011. At that time it had a 0/43\r\ndetection ratio. \r\nhttps://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html\r\nPage 4 of 6\n\nvirustotal results of scraper file, performed on October 2, 2012\r\nvirustotal results of scraper file, performed on February 16, 2011\r\nIn the Trend post, the author stated \"PwnPOS is one of those perfect examples of malware that’s able to fly under\r\nthe radar all these years\". As you can see from just the examples that are listed above, that statement is simply not\r\ntrue. It does highlight the importance of understanding \"what\" is running within your POS environment. It also\r\nhighlights the fact of regularly checking systems within your POS environment to make sure that they are running\r\nproperly and there is nothing \"else\" (malicious or otherwise) running on those systems.\r\nhttps://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html\r\nPage 5 of 6\n\nSeveral month ago I came across a domain that was hosting this (and other) samples of POS malware. I collected\r\nall of the samples and files on the domain. The owners of the domain let the registration lapse a few months ago,\r\nat which time I purchased it and re-directed it to \"fbi.gov\" (my own way of \"getting back\" at bad actors). If you\r\nare interested please feel free to contact me, I will share some of the files with you (I cannot share them all, as\r\nsome of the files contained information that I legally cannot share).\r\nSource: https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html\r\nhttps://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html"
	],
	"report_names": [
		"and-you-get-pos-malware-nameand-you-get.html"
	],
	"threat_actors": [],
	"ts_created_at": 1777450893,
	"ts_updated_at": 1777459330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d9fa88e203620b118beba3d52f03924acecae87d.pdf",
		"text": "https://archive.orkl.eu/d9fa88e203620b118beba3d52f03924acecae87d.txt",
		"img": "https://archive.orkl.eu/d9fa88e203620b118beba3d52f03924acecae87d.jpg"
	}
}