pony | feb8ef1b98b0eddaf5cef0efb04654cbd28de14784c494ee86e007a9961e7dfb

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

product.scr
Size

624KB
MD5

fff4955ffce3b5e5260408e7fef6872d
SHA1

78b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256

a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512

e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
SSDEEP

12288:mcER/WFqpOCIYqv2/eso4QDiWVpDiKiS9BYM1efta7iXS6GnEv0CNisXoNBW9x:mcER/WFqpOCIYqv2/eso4QDiW3DiKiSM

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://190.14.37.80/akpos/Panel/Panelz/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 5 IoCs

Processes:

mamade.exeScan002.scrmamade.exemamade.exeScan002.scr

pid process

1176 mamade.exe
876 Scan002.scr
1380 mamade.exe
1828 mamade.exe
936 Scan002.scr

pid	process
1176	mamade.exe
876	Scan002.scr
1380	mamade.exe
1828	mamade.exe
936	Scan002.scr

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1828-93-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1828-97-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1828-99-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/936-111-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/1828-113-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/936-114-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/936-116-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1828-117-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1828-118-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/936-121-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1828-122-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops startup file 3 IoCs

Processes:

product.scrmamade.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe	product.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe	product.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe	mamade.exe

Loads dropped DLL 5 IoCs

Processes:

product.scrcmd.exeScan002.scr

pid process

1208 product.scr
1208 product.scr
672 cmd.exe
672 cmd.exe
876 Scan002.scr
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1208	product.scr
1208	product.scr
672	cmd.exe
672	cmd.exe
876	Scan002.scr

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

Scan002.scrmamade.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Scan002.scr
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mamade.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

Scan002.scrmamade.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Scan002.scr
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mamade.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

mamade.exemamade.exeScan002.scr

description	pid	process	target process
PID 1176 set thread context of 1380	1176	mamade.exe	mamade.exe
PID 1380 set thread context of 1828	1380	mamade.exe	mamade.exe
PID 876 set thread context of 936	876	Scan002.scr	Scan002.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mamade.exeScan002.scr

pid process

1380 mamade.exe
876 Scan002.scr

pid	process
1380	mamade.exe
876	Scan002.scr

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mamade.exeScan002.scr

description	pid	process
Token: SeImpersonatePrivilege	1828	mamade.exe
Token: SeTcbPrivilege	1828	mamade.exe
Token: SeChangeNotifyPrivilege	1828	mamade.exe
Token: SeCreateTokenPrivilege	1828	mamade.exe
Token: SeBackupPrivilege	1828	mamade.exe
Token: SeRestorePrivilege	1828	mamade.exe
Token: SeIncreaseQuotaPrivilege	1828	mamade.exe
Token: SeAssignPrimaryTokenPrivilege	1828	mamade.exe
Token: SeImpersonatePrivilege	936	Scan002.scr
Token: SeTcbPrivilege	936	Scan002.scr
Token: SeChangeNotifyPrivilege	936	Scan002.scr
Token: SeCreateTokenPrivilege	936	Scan002.scr
Token: SeBackupPrivilege	936	Scan002.scr
Token: SeRestorePrivilege	936	Scan002.scr
Token: SeIncreaseQuotaPrivilege	936	Scan002.scr
Token: SeAssignPrimaryTokenPrivilege	936	Scan002.scr
Token: SeImpersonatePrivilege	1828	mamade.exe
Token: SeImpersonatePrivilege	936	Scan002.scr
Token: SeTcbPrivilege	1828	mamade.exe
Token: SeChangeNotifyPrivilege	1828	mamade.exe
Token: SeCreateTokenPrivilege	1828	mamade.exe
Token: SeTcbPrivilege	936	Scan002.scr
Token: SeBackupPrivilege	1828	mamade.exe
Token: SeChangeNotifyPrivilege	936	Scan002.scr
Token: SeRestorePrivilege	1828	mamade.exe
Token: SeCreateTokenPrivilege	936	Scan002.scr
Token: SeBackupPrivilege	936	Scan002.scr
Token: SeIncreaseQuotaPrivilege	1828	mamade.exe
Token: SeAssignPrimaryTokenPrivilege	1828	mamade.exe
Token: SeRestorePrivilege	936	Scan002.scr
Token: SeIncreaseQuotaPrivilege	936	Scan002.scr
Token: SeAssignPrimaryTokenPrivilege	936	Scan002.scr
Token: SeImpersonatePrivilege	1828	mamade.exe
Token: SeTcbPrivilege	1828	mamade.exe
Token: SeChangeNotifyPrivilege	1828	mamade.exe
Token: SeCreateTokenPrivilege	1828	mamade.exe
Token: SeBackupPrivilege	1828	mamade.exe
Token: SeRestorePrivilege	1828	mamade.exe
Token: SeIncreaseQuotaPrivilege	1828	mamade.exe
Token: SeAssignPrimaryTokenPrivilege	1828	mamade.exe
Token: SeImpersonatePrivilege	936	Scan002.scr
Token: SeTcbPrivilege	936	Scan002.scr
Token: SeChangeNotifyPrivilege	936	Scan002.scr
Token: SeCreateTokenPrivilege	936	Scan002.scr
Token: SeBackupPrivilege	936	Scan002.scr
Token: SeRestorePrivilege	936	Scan002.scr
Token: SeIncreaseQuotaPrivilege	936	Scan002.scr
Token: SeAssignPrimaryTokenPrivilege	936	Scan002.scr
Token: SeImpersonatePrivilege	1828	mamade.exe
Token: SeTcbPrivilege	1828	mamade.exe
Token: SeChangeNotifyPrivilege	1828	mamade.exe
Token: SeCreateTokenPrivilege	1828	mamade.exe
Token: SeBackupPrivilege	1828	mamade.exe
Token: SeRestorePrivilege	1828	mamade.exe
Token: SeIncreaseQuotaPrivilege	1828	mamade.exe
Token: SeAssignPrimaryTokenPrivilege	1828	mamade.exe
Token: SeImpersonatePrivilege	936	Scan002.scr
Token: SeTcbPrivilege	936	Scan002.scr
Token: SeChangeNotifyPrivilege	936	Scan002.scr
Token: SeCreateTokenPrivilege	936	Scan002.scr
Token: SeBackupPrivilege	936	Scan002.scr
Token: SeRestorePrivilege	936	Scan002.scr
Token: SeIncreaseQuotaPrivilege	936	Scan002.scr
Token: SeAssignPrimaryTokenPrivilege	936	Scan002.scr

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

product.scrmamade.exemamade.exeScan002.scr

pid process

1208 product.scr
1176 mamade.exe
1380 mamade.exe
876 Scan002.scr
1380 mamade.exe
876 Scan002.scr

pid	process
1208	product.scr
1176	mamade.exe
1380	mamade.exe
876	Scan002.scr
1380	mamade.exe
876	Scan002.scr

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

product.scrcmd.exemamade.exemamade.exeScan002.scrScan002.scrmamade.exe

description	pid	process	target process
PID 1208 wrote to memory of 672	1208	product.scr	cmd.exe
PID 1208 wrote to memory of 672	1208	product.scr	cmd.exe
PID 1208 wrote to memory of 672	1208	product.scr	cmd.exe
PID 1208 wrote to memory of 672	1208	product.scr	cmd.exe
PID 1208 wrote to memory of 1176	1208	product.scr	mamade.exe
PID 1208 wrote to memory of 1176	1208	product.scr	mamade.exe
PID 1208 wrote to memory of 1176	1208	product.scr	mamade.exe
PID 1208 wrote to memory of 1176	1208	product.scr	mamade.exe
PID 672 wrote to memory of 876	672	cmd.exe	Scan002.scr
PID 672 wrote to memory of 876	672	cmd.exe	Scan002.scr
PID 672 wrote to memory of 876	672	cmd.exe	Scan002.scr
PID 672 wrote to memory of 876	672	cmd.exe	Scan002.scr
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1176 wrote to memory of 1380	1176	mamade.exe	mamade.exe
PID 1380 wrote to memory of 1828	1380	mamade.exe	mamade.exe
PID 1380 wrote to memory of 1828	1380	mamade.exe	mamade.exe
PID 1380 wrote to memory of 1828	1380	mamade.exe	mamade.exe
PID 1380 wrote to memory of 1828	1380	mamade.exe	mamade.exe
PID 876 wrote to memory of 936	876	Scan002.scr	Scan002.scr
PID 876 wrote to memory of 936	876	Scan002.scr	Scan002.scr
PID 876 wrote to memory of 936	876	Scan002.scr	Scan002.scr
PID 876 wrote to memory of 936	876	Scan002.scr	Scan002.scr
PID 1380 wrote to memory of 1828	1380	mamade.exe	mamade.exe
PID 876 wrote to memory of 936	876	Scan002.scr	Scan002.scr
PID 1380 wrote to memory of 1828	1380	mamade.exe	mamade.exe
PID 876 wrote to memory of 936	876	Scan002.scr	Scan002.scr
PID 1380 wrote to memory of 1828	1380	mamade.exe	mamade.exe
PID 1380 wrote to memory of 1828	1380	mamade.exe	mamade.exe
PID 876 wrote to memory of 936	876	Scan002.scr	Scan002.scr
PID 876 wrote to memory of 936	876	Scan002.scr	Scan002.scr
PID 936 wrote to memory of 1248	936	Scan002.scr	cmd.exe
PID 936 wrote to memory of 1248	936	Scan002.scr	cmd.exe
PID 936 wrote to memory of 1248	936	Scan002.scr	cmd.exe
PID 936 wrote to memory of 1248	936	Scan002.scr	cmd.exe
PID 1828 wrote to memory of 2036	1828	mamade.exe	cmd.exe
PID 1828 wrote to memory of 2036	1828	mamade.exe	cmd.exe
PID 1828 wrote to memory of 2036	1828	mamade.exe	cmd.exe
PID 1828 wrote to memory of 2036	1828	mamade.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

mamade.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mamade.exe

C:\Users\Admin\AppData\Local\Temp\product.scr
"C:\Users\Admin\AppData\Local\Temp\product.scr" /S
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Scan002.scr
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\Scan002.scr
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Local\Temp\Scan002.scr
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7220209.bat" "C:\Users\Admin\AppData\Local\Temp\Scan002.scr" "
5⤵
PID:1248

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7220194.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe" "
5⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7220194.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7220209.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
memory/672-57-0x0000000000000000-mapping.dmp

Download
memory/876-67-0x0000000000000000-mapping.dmp

Download
memory/876-101-0x0000000000380000-0x0000000000384000-memory.dmp

Filesize
16KB

Download
memory/936-114-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/936-111-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/936-116-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/936-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/936-103-0x000000000041A110-mapping.dmp

Download
memory/1176-60-0x0000000000000000-mapping.dmp

Download
memory/1208-56-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1248-119-0x0000000000000000-mapping.dmp

Download
memory/1380-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-83-0x0000000000407EFE-mapping.dmp

Download
memory/1380-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-113-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1828-99-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1828-117-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1828-118-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1828-93-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1828-102-0x000000000041A110-mapping.dmp

Download
memory/1828-122-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1828-90-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1828-97-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2036-120-0x0000000000000000-mapping.dmp

Download