pony | 172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f

General

Target

172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Size

564KB
MD5

a1d3624a30411262cfe25674dbd05051
SHA1

3d2c681609f5213a680955573e26f4e3a52025a9
SHA256

172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f
SHA512

59bc2190ff355409ac2d9d3fd197c6c6cddb89f25990b4cb2614a3cb6b8ca5a6cde931807290366cd203fdadb48e5a0977606f06231233d6a7be62d88af033d5
SSDEEP

6144:6pX2i9HjHIDeRzKPCqIlKqX6ehf1gOGqHCibZwSDqMPoyoMGGGGGGGGGGbGGGGG4:Q20zyeRWtI9qGu6HCWZwMqoKHjl

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://www.powerturk.rocks/web/gate.php

http://www.powerturk.rocks/webd/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

840 csrss.exe

Loads dropped DLL 2 IoCs

Processes:

172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

pid	process
1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

description	pid	process	target process
PID 1120 set thread context of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exe

pid	process
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe
840	csrss.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

csrss.exe172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

description	pid	process
Token: SeDebugPrivilege	840	csrss.exe
Token: SeImpersonatePrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeTcbPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeChangeNotifyPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeCreateTokenPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeBackupPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeRestorePrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeIncreaseQuotaPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeAssignPrimaryTokenPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeImpersonatePrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeTcbPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeChangeNotifyPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeCreateTokenPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeBackupPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeRestorePrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeIncreaseQuotaPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeAssignPrimaryTokenPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeImpersonatePrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeTcbPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeChangeNotifyPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeCreateTokenPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeBackupPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeRestorePrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeIncreaseQuotaPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeAssignPrimaryTokenPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeImpersonatePrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeTcbPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeChangeNotifyPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeCreateTokenPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeBackupPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeRestorePrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeIncreaseQuotaPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
Token: SeAssignPrimaryTokenPrivilege	1724	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1396 AcroRd32.exe
1396 AcroRd32.exe
1396 AcroRd32.exe
1396 AcroRd32.exe

pid	process
1396	AcroRd32.exe
1396	AcroRd32.exe
1396	AcroRd32.exe
1396	AcroRd32.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.execsrss.exe172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

description	pid	process	target process
PID 1120 wrote to memory of 1396	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	AcroRd32.exe
PID 1120 wrote to memory of 1396	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	AcroRd32.exe
PID 1120 wrote to memory of 1396	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	AcroRd32.exe
PID 1120 wrote to memory of 1396	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	AcroRd32.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 1724	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 1120 wrote to memory of 840	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	csrss.exe
PID 1120 wrote to memory of 840	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	csrss.exe
PID 1120 wrote to memory of 840	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	csrss.exe
PID 1120 wrote to memory of 840	1120	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	csrss.exe
PID 840 wrote to memory of 676	840	csrss.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 840 wrote to memory of 676	840	csrss.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 840 wrote to memory of 676	840	csrss.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 840 wrote to memory of 676	840	csrss.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 676 wrote to memory of 1908	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	AcroRd32.exe
PID 676 wrote to memory of 1908	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	AcroRd32.exe
PID 676 wrote to memory of 1908	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	AcroRd32.exe
PID 676 wrote to memory of 1908	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	AcroRd32.exe
PID 676 wrote to memory of 1744	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 676 wrote to memory of 1744	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 676 wrote to memory of 1744	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 676 wrote to memory of 1744	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 676 wrote to memory of 1744	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 676 wrote to memory of 1744	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
PID 676 wrote to memory of 1744	676	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

outlook_win_path 1 IoCs

Processes:

172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe

C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
"C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\SLED_PO_Template.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
"C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1724

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe" -prochide 1724 -proc 1724 C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
"C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\SLED_PO_Template.pdf"
4⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe
"C:\Users\Admin\AppData\Local\Temp\172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f.exe"
4⤵
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
564KB

MD5
a1d3624a30411262cfe25674dbd05051

SHA1
3d2c681609f5213a680955573e26f4e3a52025a9

SHA256
172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f

SHA512
59bc2190ff355409ac2d9d3fd197c6c6cddb89f25990b4cb2614a3cb6b8ca5a6cde931807290366cd203fdadb48e5a0977606f06231233d6a7be62d88af033d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
564KB

MD5
a1d3624a30411262cfe25674dbd05051

SHA1
3d2c681609f5213a680955573e26f4e3a52025a9

SHA256
172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f

SHA512
59bc2190ff355409ac2d9d3fd197c6c6cddb89f25990b4cb2614a3cb6b8ca5a6cde931807290366cd203fdadb48e5a0977606f06231233d6a7be62d88af033d5

Download Submit
C:\Users\Admin\AppData\Roaming\SLED_PO_Template.pdf
Filesize
113KB

MD5
40caa279a85473a57eb422c6dcee609f

SHA1
77a9ba6dcb39cfdd47230d87a3c566f024b645b4

SHA256
e2d8e5e3093bf2eac1618ae744a5277ddc2eeef478632adc9157d50e8e74ab18

SHA512
5ec4c71cfb5fc5104ef50c68a6f2041e67ca9d44ac1860551a3b5468f85e57be4c5395108aaf44b5c0e58b39ad826b32b27fc9267ded5638f62eaca374d4dc40

Download Submit
C:\Users\Admin\AppData\Roaming\SLED_PO_Template.pdf
Filesize
113KB

MD5
40caa279a85473a57eb422c6dcee609f

SHA1
77a9ba6dcb39cfdd47230d87a3c566f024b645b4

SHA256
e2d8e5e3093bf2eac1618ae744a5277ddc2eeef478632adc9157d50e8e74ab18

SHA512
5ec4c71cfb5fc5104ef50c68a6f2041e67ca9d44ac1860551a3b5468f85e57be4c5395108aaf44b5c0e58b39ad826b32b27fc9267ded5638f62eaca374d4dc40

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
564KB

MD5
a1d3624a30411262cfe25674dbd05051

SHA1
3d2c681609f5213a680955573e26f4e3a52025a9

SHA256
172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f

SHA512
59bc2190ff355409ac2d9d3fd197c6c6cddb89f25990b4cb2614a3cb6b8ca5a6cde931807290366cd203fdadb48e5a0977606f06231233d6a7be62d88af033d5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
564KB

MD5
a1d3624a30411262cfe25674dbd05051

SHA1
3d2c681609f5213a680955573e26f4e3a52025a9

SHA256
172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f

SHA512
59bc2190ff355409ac2d9d3fd197c6c6cddb89f25990b4cb2614a3cb6b8ca5a6cde931807290366cd203fdadb48e5a0977606f06231233d6a7be62d88af033d5

Download Submit
memory/676-85-0x0000000000000000-mapping.dmp

Download
memory/676-90-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/676-100-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/840-87-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/840-82-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/840-73-0x0000000000000000-mapping.dmp

Download
memory/840-79-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1120-55-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-78-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-56-0x0000000000000000-mapping.dmp

Download
memory/1724-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-68-0x0000000000410F55-mapping.dmp

Download
memory/1724-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads