pony | c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d

General

Target

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Size

225KB
MD5

57a9a1489abff9bf710a6449f627a7ec
SHA1

b78147c9cb333dfc4dcab39309808dded9eaabe5
SHA256

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d
SHA512

4fe2722b84dd47c309d8bf161e5df97d976a9bead33efad16b17abbbc388da4bd0ebbab7fee716e912b0a44604a3f74ddb9bccaf46a994fa4f5e4cc691bea2e9
SSDEEP

3072:4VSKIWJOOuepNUnzLBitqnHBXo/f+QqfABAh6S1/Z7i/e5rdUtYN8FK/qjoOzjNK:aJwepKnzLnpzQAABAh6SXrvKFZjN

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://sunbulahqroup.com/tobo/Panel/gate.php

http://www.sunbulahqroup.com/tobo/Panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/696-58-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/696-60-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/696-61-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/696-64-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/696-65-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/696-70-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/696-73-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1080-83-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1080-85-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1080-87-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1968 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1968	cmd.exe

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	takshost.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exe

description	pid	process	target process
PID 1492 set thread context of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 636 set thread context of 1080	636	takshost.exe	takshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe

pid process

1492 c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe

pid	process
1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exec75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exetakshost.exe

description	pid	process
Token: SeDebugPrivilege	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeDebugPrivilege	636	takshost.exe
Token: SeImpersonatePrivilege	1080	takshost.exe
Token: SeTcbPrivilege	1080	takshost.exe
Token: SeChangeNotifyPrivilege	1080	takshost.exe
Token: SeCreateTokenPrivilege	1080	takshost.exe
Token: SeBackupPrivilege	1080	takshost.exe
Token: SeRestorePrivilege	1080	takshost.exe
Token: SeIncreaseQuotaPrivilege	1080	takshost.exe
Token: SeAssignPrimaryTokenPrivilege	1080	takshost.exe
Token: SeImpersonatePrivilege	1080	takshost.exe
Token: SeTcbPrivilege	1080	takshost.exe
Token: SeChangeNotifyPrivilege	1080	takshost.exe
Token: SeCreateTokenPrivilege	1080	takshost.exe
Token: SeBackupPrivilege	1080	takshost.exe
Token: SeRestorePrivilege	1080	takshost.exe
Token: SeIncreaseQuotaPrivilege	1080	takshost.exe
Token: SeAssignPrimaryTokenPrivilege	1080	takshost.exe
Token: SeImpersonatePrivilege	1080	takshost.exe
Token: SeTcbPrivilege	1080	takshost.exe
Token: SeChangeNotifyPrivilege	1080	takshost.exe
Token: SeCreateTokenPrivilege	1080	takshost.exe
Token: SeBackupPrivilege	1080	takshost.exe
Token: SeRestorePrivilege	1080	takshost.exe
Token: SeIncreaseQuotaPrivilege	1080	takshost.exe
Token: SeAssignPrimaryTokenPrivilege	1080	takshost.exe
Token: SeImpersonatePrivilege	1080	takshost.exe
Token: SeTcbPrivilege	1080	takshost.exe
Token: SeChangeNotifyPrivilege	1080	takshost.exe
Token: SeCreateTokenPrivilege	1080	takshost.exe
Token: SeBackupPrivilege	1080	takshost.exe
Token: SeRestorePrivilege	1080	takshost.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exec75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exetakshost.exe

description	pid	process	target process
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 696	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1492 wrote to memory of 636	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 1492 wrote to memory of 636	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 1492 wrote to memory of 636	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 1492 wrote to memory of 636	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 1492 wrote to memory of 636	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 1492 wrote to memory of 636	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 1492 wrote to memory of 636	1492	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 696 wrote to memory of 1104	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	cmd.exe
PID 696 wrote to memory of 1104	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	cmd.exe
PID 696 wrote to memory of 1104	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	cmd.exe
PID 696 wrote to memory of 1104	696	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	cmd.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 636 wrote to memory of 1080	636	takshost.exe	takshost.exe
PID 1080 wrote to memory of 1968	1080	takshost.exe	cmd.exe
PID 1080 wrote to memory of 1968	1080	takshost.exe	cmd.exe
PID 1080 wrote to memory of 1968	1080	takshost.exe	cmd.exe
PID 1080 wrote to memory of 1968	1080	takshost.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

takshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
"C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
  "C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7115096.bat" "C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe" "
    3⤵
    PID:1104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
    3⤵
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7134034.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "
      4⤵
      Deletes itself
      PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7115096.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7134034.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
memory/636-67-0x0000000000000000-mapping.dmp

Download
memory/636-84-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/636-75-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/636-71-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/696-70-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-64-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-65-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-61-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-62-0x000000000041AF70-mapping.dmp

Download
memory/696-57-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-58-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-73-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1080-83-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1080-87-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1080-81-0x000000000041AF70-mapping.dmp

Download
memory/1080-85-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1104-72-0x0000000000000000-mapping.dmp

Download
memory/1492-69-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1492-56-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-55-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads