pony | c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d

General

Target

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Size

225KB
MD5

57a9a1489abff9bf710a6449f627a7ec
SHA1

b78147c9cb333dfc4dcab39309808dded9eaabe5
SHA256

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d
SHA512

4fe2722b84dd47c309d8bf161e5df97d976a9bead33efad16b17abbbc388da4bd0ebbab7fee716e912b0a44604a3f74ddb9bccaf46a994fa4f5e4cc691bea2e9
SSDEEP

3072:4VSKIWJOOuepNUnzLBitqnHBXo/f+QqfABAh6S1/Z7i/e5rdUtYN8FK/qjoOzjNK:aJwepKnzLnpzQAABAh6SXrvKFZjN

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://sunbulahqroup.com/tobo/Panel/gate.php

http://www.sunbulahqroup.com/tobo/Panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3440-135-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3440-137-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3440-138-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3440-140-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3440-144-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2108-150-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2108-151-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2108-153-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2108-155-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exec75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	takshost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

takshost.exec75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	takshost.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exe

description	pid	process	target process
PID 5044 set thread context of 3440	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 1624 set thread context of 2108	1624	takshost.exe	takshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe

pid process

5044 c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe

pid	process
5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exec75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exetakshost.exe

description	pid	process
Token: SeDebugPrivilege	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeImpersonatePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeTcbPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeChangeNotifyPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeCreateTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeBackupPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeRestorePrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeIncreaseQuotaPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeAssignPrimaryTokenPrivilege	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
Token: SeDebugPrivilege	1624	takshost.exe
Token: SeImpersonatePrivilege	2108	takshost.exe
Token: SeTcbPrivilege	2108	takshost.exe
Token: SeChangeNotifyPrivilege	2108	takshost.exe
Token: SeCreateTokenPrivilege	2108	takshost.exe
Token: SeBackupPrivilege	2108	takshost.exe
Token: SeRestorePrivilege	2108	takshost.exe
Token: SeIncreaseQuotaPrivilege	2108	takshost.exe
Token: SeAssignPrimaryTokenPrivilege	2108	takshost.exe
Token: SeImpersonatePrivilege	2108	takshost.exe
Token: SeTcbPrivilege	2108	takshost.exe
Token: SeChangeNotifyPrivilege	2108	takshost.exe
Token: SeCreateTokenPrivilege	2108	takshost.exe
Token: SeBackupPrivilege	2108	takshost.exe
Token: SeRestorePrivilege	2108	takshost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exec75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exetakshost.exetakshost.exe

description	pid	process	target process
PID 5044 wrote to memory of 3440	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 5044 wrote to memory of 3440	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 5044 wrote to memory of 3440	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 5044 wrote to memory of 3440	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 5044 wrote to memory of 3440	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 5044 wrote to memory of 3440	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 5044 wrote to memory of 3440	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
PID 5044 wrote to memory of 1624	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 5044 wrote to memory of 1624	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 5044 wrote to memory of 1624	5044	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	takshost.exe
PID 3440 wrote to memory of 5108	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	cmd.exe
PID 3440 wrote to memory of 5108	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	cmd.exe
PID 3440 wrote to memory of 5108	3440	c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe	cmd.exe
PID 1624 wrote to memory of 2108	1624	takshost.exe	takshost.exe
PID 1624 wrote to memory of 2108	1624	takshost.exe	takshost.exe
PID 1624 wrote to memory of 2108	1624	takshost.exe	takshost.exe
PID 1624 wrote to memory of 2108	1624	takshost.exe	takshost.exe
PID 1624 wrote to memory of 2108	1624	takshost.exe	takshost.exe
PID 1624 wrote to memory of 2108	1624	takshost.exe	takshost.exe
PID 1624 wrote to memory of 2108	1624	takshost.exe	takshost.exe
PID 2108 wrote to memory of 2848	2108	takshost.exe	cmd.exe
PID 2108 wrote to memory of 2848	2108	takshost.exe	cmd.exe
PID 2108 wrote to memory of 2848	2108	takshost.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

takshost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	takshost.exe

C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
"C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe
  "C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240590531.bat" "C:\Users\Admin\AppData\Local\Temp\c75434ad0b5e5444e3d676ced4331241a7f6b725d4f110a43dc35699f658e42d.exe" "
    3⤵
    PID:5108
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
    3⤵
    - Checks computer location settings
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240613718.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "
      4⤵
      PID:2848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240590531.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240613718.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
memory/1624-152-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1624-139-0x0000000000000000-mapping.dmp

Download
memory/1624-142-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1624-146-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2108-155-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2108-153-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2108-151-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2108-150-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2108-147-0x0000000000000000-mapping.dmp

Download
memory/2848-154-0x0000000000000000-mapping.dmp

Download
memory/3440-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3440-144-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3440-140-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3440-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3440-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3440-134-0x0000000000000000-mapping.dmp

Download
memory/5044-141-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5044-132-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5044-133-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5108-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads