pony | 1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Size

324KB
MD5

7d05eebdb0afe7c4c4d5231eaa271118
SHA1

ae2c8059389887f0028ae61c89fd65d878eea7b4
SHA256

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324
SHA512

46a250708d573966313dd28e1b3db546634c58bb886fdda667208ae9608048521bd6a8a8d529c68cd447bc419f773952b559cd555c911aea940335768d3369e6
SSDEEP

6144:a4w/TEf3zR2c++Mr4sIJbWGQ4w/TEJpnss2XjXrHPWftnyBXMxoMKk:xqgvzMrrnIYSqgJZss0jX7uB6uoMb

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://raslo1.bangex.com/regate/regate.php

http://dll1.dinos.al/regate/regate.php

http://dll1-b.dinos.al/regate/regate.php

http://dll1-c.dinos.al/regate/regate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 4 IoCs

Processes:

tmp7562839.exetmp7562839.exelsass.exelsass.exe

pid process

1528 tmp7562839.exe
1400 tmp7562839.exe
872 lsass.exe
1712 lsass.exe
Drops startup file 1 IoCs

Processes:

tmp7562839.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe tmp7562839.exe

pid	process
1528	tmp7562839.exe
1400	tmp7562839.exe
872	lsass.exe
1712	lsass.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	tmp7562839.exe

Loads dropped DLL 5 IoCs

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exetmp7562839.exetmp7562839.exe

pid	process
756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
1528	tmp7562839.exe
1400	tmp7562839.exe
1400	tmp7562839.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exetmp7562839.exelsass.exe

description	pid	process	target process
PID 756 set thread context of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 1528 set thread context of 1400	1528	tmp7562839.exe	tmp7562839.exe
PID 872 set thread context of 1712	872	lsass.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pid process

1284
1284
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

lsass.exeexplorer.exe

pid process

1712 lsass.exe
832 explorer.exe
1284
1284
1284

pid	process
1284
1284

pid	process
1712	lsass.exe
832	explorer.exe
1284
1284
1284

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

tmp7562839.exelsass.exe1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

description	pid	process
Token: SeDebugPrivilege	1400	tmp7562839.exe
Token: SeDebugPrivilege	1712	lsass.exe
Token: SeDebugPrivilege	1284
Token: SeImpersonatePrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeTcbPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeChangeNotifyPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeCreateTokenPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeBackupPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeRestorePrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeIncreaseQuotaPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeAssignPrimaryTokenPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeImpersonatePrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeTcbPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeChangeNotifyPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeCreateTokenPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeBackupPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeRestorePrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeIncreaseQuotaPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeAssignPrimaryTokenPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeImpersonatePrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeTcbPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeChangeNotifyPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeCreateTokenPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeBackupPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeRestorePrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeIncreaseQuotaPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeAssignPrimaryTokenPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeImpersonatePrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeTcbPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeChangeNotifyPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeCreateTokenPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeBackupPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeRestorePrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeIncreaseQuotaPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
Token: SeAssignPrimaryTokenPrivilege	976	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1284
1284
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1284
1284
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exetmp7562839.exelsass.exe

pid process

756 1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
1528 tmp7562839.exe
872 lsass.exe

pid	process
1284
1284

pid	process
1284
1284

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exetmp7562839.exetmp7562839.exelsass.exelsass.exe

description	pid	process	target process
PID 756 wrote to memory of 1528	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	tmp7562839.exe
PID 756 wrote to memory of 1528	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	tmp7562839.exe
PID 756 wrote to memory of 1528	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	tmp7562839.exe
PID 756 wrote to memory of 1528	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	tmp7562839.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 756 wrote to memory of 976	756	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
PID 1528 wrote to memory of 1400	1528	tmp7562839.exe	tmp7562839.exe
PID 1528 wrote to memory of 1400	1528	tmp7562839.exe	tmp7562839.exe
PID 1528 wrote to memory of 1400	1528	tmp7562839.exe	tmp7562839.exe
PID 1528 wrote to memory of 1400	1528	tmp7562839.exe	tmp7562839.exe
PID 1528 wrote to memory of 1400	1528	tmp7562839.exe	tmp7562839.exe
PID 1528 wrote to memory of 1400	1528	tmp7562839.exe	tmp7562839.exe
PID 1528 wrote to memory of 1400	1528	tmp7562839.exe	tmp7562839.exe
PID 1400 wrote to memory of 872	1400	tmp7562839.exe	lsass.exe
PID 1400 wrote to memory of 872	1400	tmp7562839.exe	lsass.exe
PID 1400 wrote to memory of 872	1400	tmp7562839.exe	lsass.exe
PID 1400 wrote to memory of 872	1400	tmp7562839.exe	lsass.exe
PID 872 wrote to memory of 1712	872	lsass.exe	lsass.exe
PID 872 wrote to memory of 1712	872	lsass.exe	lsass.exe
PID 872 wrote to memory of 1712	872	lsass.exe	lsass.exe
PID 872 wrote to memory of 1712	872	lsass.exe	lsass.exe
PID 872 wrote to memory of 1712	872	lsass.exe	lsass.exe
PID 872 wrote to memory of 1712	872	lsass.exe	lsass.exe
PID 872 wrote to memory of 1712	872	lsass.exe	lsass.exe
PID 1712 wrote to memory of 832	1712	lsass.exe	explorer.exe
PID 1712 wrote to memory of 832	1712	lsass.exe	explorer.exe
PID 1712 wrote to memory of 832	1712	lsass.exe	explorer.exe
PID 1712 wrote to memory of 832	1712	lsass.exe	explorer.exe

outlook_win_path 1 IoCs

Processes:

1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe

C:\Users\Admin\AppData\Local\Temp\1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
"C:\Users\Admin\AppData\Local\Temp\1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe
6⤵
- Suspicious behavior: MapViewOfSection
PID:832

C:\Users\Admin\AppData\Local\Temp\1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe
"C:\Users\Admin\AppData\Local\Temp\1721775c6d33bf147d0eec83f5b8e92b1e8ebf3baae9dd9fd77c189fe79f2324.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7562839.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7562839.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7562839.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7562839.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
164KB

MD5
ee86a6eb2f94db6c8caa0b95bc468174

SHA1
b07fef1c69176369a6f09da5a2359d062b2d0c65

SHA256
fd1d70cf0753ad0e290126caab6445f66940c242309fdcb7792354657948ac3e

SHA512
eb82b97602fae6dcb352b34f8dc24267b29584ff9ed86d7b6445a6b5316363d1ef8f66946852dba2eb5aae327271373ba60743b7998472bf9c9528a7eeb045a6

Download Submit
memory/756-56-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/756-57-0x00000000006AF000-0x00000000006C1000-memory.dmp

Filesize
72KB

Download
memory/756-58-0x0000000002591000-0x0000000002ADD000-memory.dmp

Filesize
5.3MB

Download
memory/832-104-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/832-101-0x0000000000000000-mapping.dmp

Download
memory/872-85-0x000000000055F000-0x0000000000577000-memory.dmp

Filesize
96KB

Download
memory/872-87-0x000000000055F000-0x0000000000577000-memory.dmp

Filesize
96KB

Download
memory/872-88-0x000000000055F000-0x0000000000577000-memory.dmp

Filesize
96KB

Download
memory/872-78-0x0000000000000000-mapping.dmp

Download
memory/872-91-0x000000000055F000-0x0000000000577000-memory.dmp

Filesize
96KB

Download
memory/872-94-0x000000000055F000-0x0000000000577000-memory.dmp

Filesize
96KB

Download
memory/976-74-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/976-110-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download
memory/976-107-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/976-66-0x0000000000410028-mapping.dmp

Download
memory/976-112-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/976-111-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/976-64-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1192-108-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1220-109-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/1284-105-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/1284-106-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1400-79-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1400-72-0x0000000000401000-mapping.dmp

Download
memory/1400-71-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1528-68-0x0000000000620000-0x0000000000638000-memory.dmp

Filesize
96KB

Download
memory/1528-61-0x0000000000000000-mapping.dmp

Download
memory/1712-102-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1712-103-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1712-98-0x0000000000401000-mapping.dmp

Download