Malware Analysis Report

2025-08-10 18:22

Sample ID 221119-d7eg2scb59
Target 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
Tags
pony collection discovery rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea

Threat Level: Known bad

The file 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea was found to be: Known bad.

Malicious Activity Summary

pony collection discovery rat spyware stealer upx

Pony,Fareit

UPX packed file

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Accesses Microsoft Outlook profiles

Checks installed software on the system

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-19 03:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-19 03:38

Reported

2022-11-19 03:41

Platform

win7-20220812-en

Max time kernel

63s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
N/A N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1052 set thread context of 1724 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1188 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1188 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1188 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1052 wrote to memory of 1724 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1052 wrote to memory of 1724 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1052 wrote to memory of 1724 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1052 wrote to memory of 1724 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1052 wrote to memory of 1724 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1052 wrote to memory of 1724 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 1724 wrote to memory of 1936 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1936 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1936 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1936 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\Windows\SysWOW64\cmd.exe

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe

"C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"

C:\ProgramData\Sleep bottom\Length Tell.exe

"C:\ProgramData\Sleep bottom\Length Tell.exe"

C:\ProgramData\Sleep bottom\Length Tell.exe

"C:\ProgramData\Sleep bottom\Length Tell.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7162302.bat" "C:\ProgramData\Sleep bottom\Length Tell.exe" "

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 3z3muor0045.site11.com udp
N/A 153.92.0.100:80 3z3muor0045.site11.com tcp
N/A 153.92.0.100:80 3z3muor0045.site11.com tcp
N/A 153.92.0.100:80 3z3muor0045.site11.com tcp
N/A 153.92.0.100:80 3z3muor0045.site11.com tcp
N/A 8.8.8.8:53 www.000webhost.com udp
N/A 104.19.184.120:443 www.000webhost.com tcp

Files

memory/1188-54-0x0000000075091000-0x0000000075093000-memory.dmp

memory/1188-55-0x0000000074110000-0x00000000746BB000-memory.dmp

\ProgramData\Sleep bottom\Length Tell.exe

MD5 1af6c84bb171f0d91cacfc9882967d10
SHA1 7e42072c65d5fffdff4500f7aebc2916f33268d1
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512 ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

\ProgramData\Sleep bottom\Length Tell.exe

MD5 1af6c84bb171f0d91cacfc9882967d10
SHA1 7e42072c65d5fffdff4500f7aebc2916f33268d1
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512 ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

memory/1052-58-0x0000000000000000-mapping.dmp

C:\ProgramData\Sleep bottom\Length Tell.exe

MD5 1af6c84bb171f0d91cacfc9882967d10
SHA1 7e42072c65d5fffdff4500f7aebc2916f33268d1
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512 ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

C:\ProgramData\Sleep bottom\Length Tell.exe

MD5 1af6c84bb171f0d91cacfc9882967d10
SHA1 7e42072c65d5fffdff4500f7aebc2916f33268d1
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512 ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

memory/1188-62-0x0000000074110000-0x00000000746BB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7a842324131e27d7555de0184233ffe
SHA1 392d4d55f15a39ff8e0fa903fedb74c90ea3e26a
SHA256 da54e3efba02270b4ea988d0c1341255bd5feb14007d7055997e0f39cfb30895
SHA512 a3b313ab212155cec747304e962ca96257c2c59ecffaf3b585456426eb331a969195edadb97477317b04beb3bbd73913d4621cd3b6c443fea69944c6c7917c98

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk

MD5 042c92e278612a58d332157462b1e8ab
SHA1 63f6fd7595b635f3081de9cb23e82e4673acbfaa
SHA256 4cda7f6015666598511ef97511caa5d57e723e5c40865553b18337d6f9e1d023
SHA512 1efee632674dd4cc8de4cc06d8236a1b2cc30f63d7d0303a58aa32944ba70abc5a8a50fa4f486c707fc1910d4bd9b03f74a3bb496ebb889a95ef8af2d68e2079

memory/1052-64-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1724-66-0x0000000000400000-0x000000000041C000-memory.dmp

C:\ProgramData\Sleep bottom\Length Tell.exe

MD5 1af6c84bb171f0d91cacfc9882967d10
SHA1 7e42072c65d5fffdff4500f7aebc2916f33268d1
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512 ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

memory/1052-71-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1724-73-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1724-74-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1724-75-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1724-76-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1724-78-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1936-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7162302.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-19 03:38

Reported

2022-11-19 03:41

Platform

win10v2004-20220812-en

Max time kernel

116s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
N/A N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4824 set thread context of 3064 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
N/A N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 2252 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 2252 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 4824 wrote to memory of 3064 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 4824 wrote to memory of 3064 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 4824 wrote to memory of 3064 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 4824 wrote to memory of 3064 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 4824 wrote to memory of 3064 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\ProgramData\Sleep bottom\Length Tell.exe
PID 3064 wrote to memory of 852 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 852 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 852 N/A C:\ProgramData\Sleep bottom\Length Tell.exe C:\Windows\SysWOW64\cmd.exe

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\ProgramData\Sleep bottom\Length Tell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe

"C:\Users\Admin\AppData\Local\Temp\5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea.exe"

C:\ProgramData\Sleep bottom\Length Tell.exe

"C:\ProgramData\Sleep bottom\Length Tell.exe"

C:\ProgramData\Sleep bottom\Length Tell.exe

"C:\ProgramData\Sleep bottom\Length Tell.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240648031.bat" "C:\ProgramData\Sleep bottom\Length Tell.exe" "

Network

Country Destination Domain Proto
N/A 8.238.23.254:80 tcp
N/A 8.238.23.254:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 51.116.253.170:443 tcp
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 3z3muor0045.site11.com udp
N/A 153.92.0.100:80 3z3muor0045.site11.com tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 153.92.0.100:80 3z3muor0045.site11.com tcp
N/A 153.92.0.100:80 3z3muor0045.site11.com tcp
N/A 153.92.0.100:80 3z3muor0045.site11.com tcp
N/A 8.8.8.8:53 www.000webhost.com udp
N/A 104.19.184.120:443 www.000webhost.com tcp

Files

memory/2252-132-0x0000000074ED0000-0x0000000075481000-memory.dmp

memory/2252-133-0x0000000074ED0000-0x0000000075481000-memory.dmp

memory/4824-134-0x0000000000000000-mapping.dmp

C:\ProgramData\Sleep bottom\Length Tell.exe

MD5 1af6c84bb171f0d91cacfc9882967d10
SHA1 7e42072c65d5fffdff4500f7aebc2916f33268d1
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512 ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

C:\ProgramData\Sleep bottom\Length Tell.exe

MD5 1af6c84bb171f0d91cacfc9882967d10
SHA1 7e42072c65d5fffdff4500f7aebc2916f33268d1
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512 ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

memory/2252-137-0x0000000074ED0000-0x0000000075481000-memory.dmp

memory/4824-138-0x0000000074ED0000-0x0000000075481000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Who early.lnk

MD5 fba1c6dcea2573ca97df19aabb41d754
SHA1 79e4def8c6e4ee035d7537d0ae4295d07199a8c1
SHA256 768b11b71d788ab52276c0996593004a1234865f7724cc814868dc4f4d88c746
SHA512 243b1fbb85434a0e5aeab2976b159b9ab57ca7c605a26a56e12fe260010f7d6a560cfbb9483e20f14bd618b2e63c050e5d7626fa8a6c8bcddadec7e6ffac8203

memory/3064-140-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3064-142-0x0000000000000000-mapping.dmp

C:\ProgramData\Sleep bottom\Length Tell.exe

MD5 1af6c84bb171f0d91cacfc9882967d10
SHA1 7e42072c65d5fffdff4500f7aebc2916f33268d1
SHA256 5d7131836dab826351fa724a97f3d1c73c6a891b55a7caa4127089fb83b551ea
SHA512 ea7ff9772cb948284855737f0a4daae8583b663d425016af37f9e1675b2384a72748360602a6f545d5406b19a4f15364487d5e8129ef1fef01f070e8c1e5aade

memory/3064-146-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4824-147-0x0000000074ED0000-0x0000000075481000-memory.dmp

memory/3064-148-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3064-149-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3064-150-0x0000000000400000-0x000000000041C000-memory.dmp

memory/852-151-0x0000000000000000-mapping.dmp

memory/3064-152-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240648031.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b