pony | 79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492

General

Target

79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
Size

1.1MB
MD5

d3021071b734890e96b5c842a110b0a9
SHA1

4641e2b0cc28e0fbab2770b518026d7a84e1556d
SHA256

79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492
SHA512

65b3b0e663f9d88d854774f9846599059eec4a87c7cac5c6c55f77092d017dc26a8af464e105df23a26ba0e61c567aa55efae80f7ae7874c2727d1f6f43565f6

Score

10^/10

pony rat spyware stealer

Malware Config

Extracted

Family

pony

C2

https://goodservices.co.vu/https://goodservices.co.vu/hcox/panel/gate.php

Attributes

payload_url
https://goodservices.co.vu/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of SetThreadContext 25 IoCs

Processes:

79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe

description	pid	process	target process
PID 1468 set thread context of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 set thread context of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 set thread context of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 set thread context of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 set thread context of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 set thread context of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 set thread context of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 set thread context of 2572	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	recover.exe
PID 1468 set thread context of 1192	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	xcopy.exe
PID 1468 set thread context of 4280	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	TSTheme.exe
PID 1468 set thread context of 4156	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	esentutl.exe
PID 1468 set thread context of 4532	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SystemPropertiesDataExecutionPrevention.exe
PID 1468 set thread context of 4184	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	ttdinject.exe
PID 1468 set thread context of 4216	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	UserAccountBroker.exe
PID 1468 set thread context of 3988	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dvdplay.exe
PID 1468 set thread context of 2424	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	verclsid.exe
PID 1468 set thread context of 480	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	proquota.exe
PID 1468 set thread context of 4900	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	colorcpl.exe
PID 1468 set thread context of 600	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	pcaui.exe
PID 1468 set thread context of 2056	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netbtugc.exe
PID 1468 set thread context of 4844	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	cacls.exe
PID 1468 set thread context of 1972	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	findstr.exe
PID 1468 set thread context of 2036	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	MuiUnattend.exe
PID 1468 set thread context of 3568	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	compact.exe
PID 1468 set thread context of 4612	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe

pid	process
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exeSearchFilterHost.exeschtasks.exeregsvr32.exedllhost.exemcbuilder.exeextrac32.exenetiougc.exerecover.exe

description	pid	process
Token: SeDebugPrivilege	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
Token: SeImpersonatePrivilege	4672	SearchFilterHost.exe
Token: SeTcbPrivilege	4672	SearchFilterHost.exe
Token: SeChangeNotifyPrivilege	4672	SearchFilterHost.exe
Token: SeCreateTokenPrivilege	4672	SearchFilterHost.exe
Token: SeBackupPrivilege	4672	SearchFilterHost.exe
Token: SeRestorePrivilege	4672	SearchFilterHost.exe
Token: SeIncreaseQuotaPrivilege	4672	SearchFilterHost.exe
Token: SeAssignPrimaryTokenPrivilege	4672	SearchFilterHost.exe
Token: SeImpersonatePrivilege	340	schtasks.exe
Token: SeTcbPrivilege	340	schtasks.exe
Token: SeChangeNotifyPrivilege	340	schtasks.exe
Token: SeCreateTokenPrivilege	340	schtasks.exe
Token: SeBackupPrivilege	340	schtasks.exe
Token: SeRestorePrivilege	340	schtasks.exe
Token: SeIncreaseQuotaPrivilege	340	schtasks.exe
Token: SeAssignPrimaryTokenPrivilege	340	schtasks.exe
Token: SeImpersonatePrivilege	4364	regsvr32.exe
Token: SeTcbPrivilege	4364	regsvr32.exe
Token: SeChangeNotifyPrivilege	4364	regsvr32.exe
Token: SeCreateTokenPrivilege	4364	regsvr32.exe
Token: SeBackupPrivilege	4364	regsvr32.exe
Token: SeRestorePrivilege	4364	regsvr32.exe
Token: SeIncreaseQuotaPrivilege	4364	regsvr32.exe
Token: SeAssignPrimaryTokenPrivilege	4364	regsvr32.exe
Token: SeImpersonatePrivilege	1584	dllhost.exe
Token: SeTcbPrivilege	1584	dllhost.exe
Token: SeChangeNotifyPrivilege	1584	dllhost.exe
Token: SeCreateTokenPrivilege	1584	dllhost.exe
Token: SeBackupPrivilege	1584	dllhost.exe
Token: SeRestorePrivilege	1584	dllhost.exe
Token: SeIncreaseQuotaPrivilege	1584	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	1584	dllhost.exe
Token: SeImpersonatePrivilege	5028	mcbuilder.exe
Token: SeTcbPrivilege	5028	mcbuilder.exe
Token: SeChangeNotifyPrivilege	5028	mcbuilder.exe
Token: SeCreateTokenPrivilege	5028	mcbuilder.exe
Token: SeBackupPrivilege	5028	mcbuilder.exe
Token: SeRestorePrivilege	5028	mcbuilder.exe
Token: SeIncreaseQuotaPrivilege	5028	mcbuilder.exe
Token: SeAssignPrimaryTokenPrivilege	5028	mcbuilder.exe
Token: SeImpersonatePrivilege	1852	extrac32.exe
Token: SeTcbPrivilege	1852	extrac32.exe
Token: SeChangeNotifyPrivilege	1852	extrac32.exe
Token: SeCreateTokenPrivilege	1852	extrac32.exe
Token: SeBackupPrivilege	1852	extrac32.exe
Token: SeRestorePrivilege	1852	extrac32.exe
Token: SeIncreaseQuotaPrivilege	1852	extrac32.exe
Token: SeAssignPrimaryTokenPrivilege	1852	extrac32.exe
Token: SeImpersonatePrivilege	3644	netiougc.exe
Token: SeTcbPrivilege	3644	netiougc.exe
Token: SeChangeNotifyPrivilege	3644	netiougc.exe
Token: SeCreateTokenPrivilege	3644	netiougc.exe
Token: SeBackupPrivilege	3644	netiougc.exe
Token: SeRestorePrivilege	3644	netiougc.exe
Token: SeIncreaseQuotaPrivilege	3644	netiougc.exe
Token: SeAssignPrimaryTokenPrivilege	3644	netiougc.exe
Token: SeImpersonatePrivilege	2572	recover.exe
Token: SeTcbPrivilege	2572	recover.exe
Token: SeChangeNotifyPrivilege	2572	recover.exe
Token: SeCreateTokenPrivilege	2572	recover.exe
Token: SeBackupPrivilege	2572	recover.exe
Token: SeRestorePrivilege	2572	recover.exe
Token: SeIncreaseQuotaPrivilege	2572	recover.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe

description	pid	process	target process
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 4672	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	SearchFilterHost.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 340	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	schtasks.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 4364	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	regsvr32.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 1584	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	dllhost.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 5028	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	mcbuilder.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 1852	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	extrac32.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 3644	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	netiougc.exe
PID 1468 wrote to memory of 1780	1468	79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe	ttdinject.exe

C:\Users\Admin\AppData\Local\Temp\79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe
"C:\Users\Admin\AppData\Local\Temp\79b18eb46544d371c9eb56ca68817206c907e6fb681481d7546a6ff6e7130492.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\SearchFilterHost.exe
"C:\Windows\SysWOW64\SearchFilterHost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\SysWOW64\dllhost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\mcbuilder.exe
"C:\Windows\SysWOW64\mcbuilder.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\SysWOW64\extrac32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\netiougc.exe
"C:\Windows\SysWOW64\netiougc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\SysWOW64\ttdinject.exe
"C:\Windows\SysWOW64\ttdinject.exe"
2⤵
PID:1780

C:\Windows\SysWOW64\recover.exe
"C:\Windows\SysWOW64\recover.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\xcopy.exe
"C:\Windows\SysWOW64\xcopy.exe"
2⤵
PID:1192

C:\Windows\SysWOW64\TSTheme.exe
"C:\Windows\SysWOW64\TSTheme.exe"
2⤵
PID:4280

C:\Windows\SysWOW64\esentutl.exe
"C:\Windows\SysWOW64\esentutl.exe"
2⤵
PID:4156

C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
"C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe"
2⤵
PID:4532

C:\Windows\SysWOW64\RMActivate.exe
"C:\Windows\SysWOW64\RMActivate.exe"
2⤵
PID:4736

C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe
"C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe"
2⤵
PID:4520

C:\Windows\SysWOW64\ttdinject.exe
"C:\Windows\SysWOW64\ttdinject.exe"
2⤵
PID:4184

C:\Windows\SysWOW64\UserAccountBroker.exe
"C:\Windows\SysWOW64\UserAccountBroker.exe"
2⤵
PID:4216

C:\Windows\SysWOW64\waitfor.exe
"C:\Windows\SysWOW64\waitfor.exe"
2⤵
PID:1948

C:\Windows\SysWOW64\RmClient.exe
"C:\Windows\SysWOW64\RmClient.exe"
2⤵
PID:3116

C:\Windows\SysWOW64\dvdplay.exe
"C:\Windows\SysWOW64\dvdplay.exe"
2⤵
PID:3988

C:\Windows\SysWOW64\SystemPropertiesProtection.exe
"C:\Windows\SysWOW64\SystemPropertiesProtection.exe"
2⤵
PID:1300

C:\Windows\SysWOW64\verclsid.exe
"C:\Windows\SysWOW64\verclsid.exe"
2⤵
PID:2424

C:\Windows\SysWOW64\proquota.exe
"C:\Windows\SysWOW64\proquota.exe"
2⤵
PID:480

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:4900

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:1944

C:\Windows\SysWOW64\pcaui.exe
"C:\Windows\SysWOW64\pcaui.exe"
2⤵
PID:600

C:\Windows\SysWOW64\netbtugc.exe
"C:\Windows\SysWOW64\netbtugc.exe"
2⤵
PID:2056

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe"
2⤵
PID:4844

C:\Windows\SysWOW64\findstr.exe
"C:\Windows\SysWOW64\findstr.exe"
2⤵
PID:1972

C:\Windows\SysWOW64\MuiUnattend.exe
"C:\Windows\SysWOW64\MuiUnattend.exe"
2⤵
PID:2036

C:\Windows\SysWOW64\compact.exe
"C:\Windows\SysWOW64\compact.exe"
2⤵
PID:3568

C:\Windows\SysWOW64\tttracer.exe
"C:\Windows\SysWOW64\tttracer.exe"
2⤵
PID:3600

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\SysWOW64\extrac32.exe"
2⤵
PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-137-0x0000000000000000-mapping.dmp

Download
memory/340-141-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/480-224-0x0000000000000000-mapping.dmp

Download
memory/480-228-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/600-239-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/600-235-0x0000000000000000-mapping.dmp

Download
memory/1192-183-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1192-179-0x0000000000000000-mapping.dmp

Download
memory/1300-218-0x0000000000000000-mapping.dmp

Download
memory/1468-131-0x0000000005120000-0x00000000051BC000-memory.dmp

Filesize
624KB

Download
memory/1468-271-0x0000000000F10000-0x0000000000FA2000-memory.dmp

Filesize
584KB

Download
memory/1468-270-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/1468-130-0x00000000006C0000-0x00000000007DE000-memory.dmp

Filesize
1.1MB

Download
memory/1584-153-0x0000000000000000-mapping.dmp

Download
memory/1584-156-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1584-157-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1780-173-0x0000000000000000-mapping.dmp

Download
memory/1852-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1852-163-0x0000000000000000-mapping.dmp

Download
memory/1944-234-0x0000000000000000-mapping.dmp

Download
memory/1948-211-0x0000000000000000-mapping.dmp

Download
memory/1972-253-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1972-249-0x0000000000000000-mapping.dmp

Download
memory/2036-254-0x0000000000000000-mapping.dmp

Download
memory/2036-258-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2056-240-0x0000000000000000-mapping.dmp

Download
memory/2424-219-0x0000000000000000-mapping.dmp

Download
memory/2424-223-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2572-174-0x0000000000000000-mapping.dmp

Download
memory/2572-178-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3116-212-0x0000000000000000-mapping.dmp

Download
memory/3568-259-0x0000000000000000-mapping.dmp

Download
memory/3568-263-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3600-264-0x0000000000000000-mapping.dmp

Download
memory/3644-168-0x0000000000000000-mapping.dmp

Download
memory/3644-172-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3988-217-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3988-213-0x0000000000000000-mapping.dmp

Download
memory/4156-193-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4156-189-0x0000000000000000-mapping.dmp

Download
memory/4184-201-0x0000000000000000-mapping.dmp

Download
memory/4184-205-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4216-206-0x0000000000000000-mapping.dmp

Download
memory/4216-210-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4280-184-0x0000000000000000-mapping.dmp

Download
memory/4280-188-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-149-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-152-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-150-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-148-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-145-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-142-0x0000000000000000-mapping.dmp

Download
memory/4520-200-0x0000000000000000-mapping.dmp

Download
memory/4532-197-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4532-198-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4532-194-0x0000000000000000-mapping.dmp

Download
memory/4612-269-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4612-265-0x0000000000000000-mapping.dmp

Download
memory/4672-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4672-133-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4672-132-0x0000000000000000-mapping.dmp

Download
memory/4672-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4736-199-0x0000000000000000-mapping.dmp

Download
memory/4844-248-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4844-244-0x0000000000000000-mapping.dmp

Download
memory/4900-233-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4900-229-0x0000000000000000-mapping.dmp

Download
memory/5028-158-0x0000000000000000-mapping.dmp

Download
memory/5028-161-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5028-162-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads