pony | 9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18

Analysis

max time kernel
164s
max time network
36s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
Size

597KB
MD5

a21dca2f92809ab908e991053b9809f6
SHA1

ade6207b8f0fe25617beb088ef0a7fefedb219ff
SHA256

9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18
SHA512

5830d09a4cefdf6451da816e8ba1676613b41920bb6588b40e909c92ae8ff8cc355bd103ad4b6d32ee4b4d6ee9b3c9d606990927c32a686378456b3b16c09b93
SSDEEP

12288:ko0ZjcnNr3SC4Ybgob0vSZcVm/IMnfiNAKrMFnN6UaIg:kPZjcnxn4eIvFMIQ6PrMFnu

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://orangeisabitch.net16.net/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

TBktrH.exe

pid process

1148 TBktrH.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/680-64-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/680-66-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/680-67-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/680-70-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/680-71-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/680-74-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1128-85-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1128-87-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1128-88-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1128-97-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1128-98-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1128-104-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/680-105-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1128-108-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2020-109-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2020-110-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1128-111-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

796 cmd.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1660 icacls.exe

pid	process
796	cmd.exe

pid	process
1660	icacls.exe

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

TBktrH.exesvchost.exe

description	pid	process	target process
PID 1148 set thread context of 680	1148	TBktrH.exe	svchost.exe
PID 680 set thread context of 1128	680	svchost.exe	svchost.exe
PID 680 set thread context of 2020	680	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

884 schtasks.exe

pid	process
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

TBktrH.exesvchost.exe

pid	process
1148	TBktrH.exe
1148	TBktrH.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe
680	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	1128	svchost.exe
Token: SeTcbPrivilege	1128	svchost.exe
Token: SeChangeNotifyPrivilege	1128	svchost.exe
Token: SeCreateTokenPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeRestorePrivilege	1128	svchost.exe
Token: SeIncreaseQuotaPrivilege	1128	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1128	svchost.exe
Token: SeImpersonatePrivilege	2020	svchost.exe
Token: SeTcbPrivilege	2020	svchost.exe
Token: SeChangeNotifyPrivilege	2020	svchost.exe
Token: SeCreateTokenPrivilege	2020	svchost.exe
Token: SeBackupPrivilege	2020	svchost.exe
Token: SeRestorePrivilege	2020	svchost.exe
Token: SeIncreaseQuotaPrivilege	2020	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2020	svchost.exe
Token: SeImpersonatePrivilege	1128	svchost.exe
Token: SeImpersonatePrivilege	2020	svchost.exe
Token: SeTcbPrivilege	1128	svchost.exe
Token: SeTcbPrivilege	2020	svchost.exe
Token: SeChangeNotifyPrivilege	1128	svchost.exe
Token: SeChangeNotifyPrivilege	2020	svchost.exe
Token: SeCreateTokenPrivilege	2020	svchost.exe
Token: SeCreateTokenPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	2020	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeRestorePrivilege	1128	svchost.exe
Token: SeRestorePrivilege	2020	svchost.exe
Token: SeIncreaseQuotaPrivilege	2020	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2020	svchost.exe
Token: SeIncreaseQuotaPrivilege	1128	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1128	svchost.exe
Token: SeImpersonatePrivilege	2020	svchost.exe
Token: SeTcbPrivilege	2020	svchost.exe
Token: SeImpersonatePrivilege	1128	svchost.exe
Token: SeTcbPrivilege	1128	svchost.exe
Token: SeChangeNotifyPrivilege	2020	svchost.exe
Token: SeChangeNotifyPrivilege	1128	svchost.exe
Token: SeCreateTokenPrivilege	2020	svchost.exe
Token: SeCreateTokenPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	2020	svchost.exe
Token: SeRestorePrivilege	1128	svchost.exe
Token: SeRestorePrivilege	2020	svchost.exe
Token: SeIncreaseQuotaPrivilege	2020	svchost.exe
Token: SeIncreaseQuotaPrivilege	1128	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2020	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1128	svchost.exe
Token: SeImpersonatePrivilege	2020	svchost.exe
Token: SeTcbPrivilege	2020	svchost.exe
Token: SeChangeNotifyPrivilege	2020	svchost.exe
Token: SeCreateTokenPrivilege	2020	svchost.exe
Token: SeBackupPrivilege	2020	svchost.exe
Token: SeRestorePrivilege	2020	svchost.exe
Token: SeIncreaseQuotaPrivilege	2020	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2020	svchost.exe
Token: SeImpersonatePrivilege	1128	svchost.exe
Token: SeTcbPrivilege	1128	svchost.exe
Token: SeChangeNotifyPrivilege	1128	svchost.exe
Token: SeCreateTokenPrivilege	1128	svchost.exe
Token: SeBackupPrivilege	1128	svchost.exe
Token: SeRestorePrivilege	1128	svchost.exe
Token: SeIncreaseQuotaPrivilege	1128	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1128	svchost.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe

pid	process
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe

pid	process
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

680 svchost.exe

pid	process
680	svchost.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.execmd.exeTBktrH.exesvchost.execmd.exetaskeng.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1536 wrote to memory of 796	1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe	cmd.exe
PID 1536 wrote to memory of 796	1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe	cmd.exe
PID 1536 wrote to memory of 796	1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe	cmd.exe
PID 1536 wrote to memory of 796	1536	9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe	cmd.exe
PID 796 wrote to memory of 1148	796	cmd.exe	TBktrH.exe
PID 796 wrote to memory of 1148	796	cmd.exe	TBktrH.exe
PID 796 wrote to memory of 1148	796	cmd.exe	TBktrH.exe
PID 796 wrote to memory of 1148	796	cmd.exe	TBktrH.exe
PID 1148 wrote to memory of 680	1148	TBktrH.exe	svchost.exe
PID 1148 wrote to memory of 680	1148	TBktrH.exe	svchost.exe
PID 1148 wrote to memory of 680	1148	TBktrH.exe	svchost.exe
PID 1148 wrote to memory of 680	1148	TBktrH.exe	svchost.exe
PID 1148 wrote to memory of 680	1148	TBktrH.exe	svchost.exe
PID 1148 wrote to memory of 680	1148	TBktrH.exe	svchost.exe
PID 1148 wrote to memory of 680	1148	TBktrH.exe	svchost.exe
PID 1148 wrote to memory of 680	1148	TBktrH.exe	svchost.exe
PID 680 wrote to memory of 1876	680	svchost.exe	schtasks.exe
PID 680 wrote to memory of 1876	680	svchost.exe	schtasks.exe
PID 680 wrote to memory of 1876	680	svchost.exe	schtasks.exe
PID 680 wrote to memory of 1876	680	svchost.exe	schtasks.exe
PID 680 wrote to memory of 884	680	svchost.exe	schtasks.exe
PID 680 wrote to memory of 884	680	svchost.exe	schtasks.exe
PID 680 wrote to memory of 884	680	svchost.exe	schtasks.exe
PID 680 wrote to memory of 884	680	svchost.exe	schtasks.exe
PID 680 wrote to memory of 1100	680	svchost.exe	cmd.exe
PID 680 wrote to memory of 1100	680	svchost.exe	cmd.exe
PID 680 wrote to memory of 1100	680	svchost.exe	cmd.exe
PID 680 wrote to memory of 1100	680	svchost.exe	cmd.exe
PID 1100 wrote to memory of 1660	1100	cmd.exe	icacls.exe
PID 1100 wrote to memory of 1660	1100	cmd.exe	icacls.exe
PID 1100 wrote to memory of 1660	1100	cmd.exe	icacls.exe
PID 1100 wrote to memory of 1660	1100	cmd.exe	icacls.exe
PID 680 wrote to memory of 1128	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 1128	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 1128	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 1128	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 1128	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 1128	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 1128	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 1128	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 2020	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 2020	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 2020	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 2020	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 2020	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 2020	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 2020	680	svchost.exe	svchost.exe
PID 680 wrote to memory of 2020	680	svchost.exe	svchost.exe
PID 1880 wrote to memory of 1604	1880	taskeng.exe	WScript.exe
PID 1880 wrote to memory of 1604	1880	taskeng.exe	WScript.exe
PID 1880 wrote to memory of 1604	1880	taskeng.exe	WScript.exe
PID 1604 wrote to memory of 1272	1604	WScript.exe	cmd.exe
PID 1604 wrote to memory of 1272	1604	WScript.exe	cmd.exe
PID 1604 wrote to memory of 1272	1604	WScript.exe	cmd.exe
PID 1880 wrote to memory of 1100	1880	taskeng.exe	WScript.exe
PID 1880 wrote to memory of 1100	1880	taskeng.exe	WScript.exe
PID 1880 wrote to memory of 1100	1880	taskeng.exe	WScript.exe
PID 1100 wrote to memory of 1156	1100	WScript.exe	cmd.exe
PID 1100 wrote to memory of 1156	1100	WScript.exe	cmd.exe
PID 1100 wrote to memory of 1156	1100	WScript.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe
"C:\Users\Admin\AppData\Local\Temp\9acb2a07e767c13806b1e29b793bcff0e4d740721d0e262601baad86d8124e18.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TBktrH.exe HiDZdd
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\TBktrH.exe
C:\Users\Admin\AppData\Local\Temp\TBktrH.exe HiDZdd
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn WindowsUpdatehidzdd0x8429524
5⤵
PID:1876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn WindowsUpdatehidzdd0x8429525 /tr "C:\ProgramData\hidzdd\IxNKBw.vbs" /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c icacls "C:\ProgramData\hidzdd" /deny %username%:F
5⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\hidzdd" /deny Admin:F
6⤵
- Modifies file permissions
PID:1660

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2020

C:\Windows\system32\taskeng.exe
taskeng.exe {B8C9E6AF-FCCC-4566-B993-00F969EF3DAA} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\hidzdd\IxNKBw.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\hidzdd\\TBktrH.exe C:\ProgramData\hidzdd\\HiDZdd
3⤵
PID:1272

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\hidzdd\IxNKBw.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\hidzdd\\TBktrH.exe C:\ProgramData\hidzdd\\HiDZdd
3⤵
PID:1156

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hidzdd\HiDZdd
Filesize
10KB

MD5
159aa0635b2dc54aac20ad0d63a9404b

SHA1
6b906a673cb647b9ea7b03ee87219e6fa82a9d5e

SHA256
806db9ceceb847fd60130960928fc8c189b3c61a5cbc05e02d77a358b0c95605

SHA512
f6d744b6e35bd6800710d1f864136370c7080e43fcef5b9f2742cf595b6354705bfd07bed36f507abeacb9bbe1fb2e631f71ea9cf77096062f0672e712e932ec

Download Submit
C:\ProgramData\hidzdd\IxNKBw.vbs
Filesize
274B

MD5
63f5b8ef3d2ec240d9b08d8f8d1c1aed

SHA1
c29a132607ac7683122f73c05edb0fc191b7adae

SHA256
ddf26df59e591d956f2c76b120f21c9178769398e5d4f2b898634e5a8d609fd3

SHA512
d41e8bf1736e10b9bb8783fd689388f11ac5d87808e84ed684a833edd9137d60718a63368f6876534193d7c05d7b0a4cc9dbc38f7a6d23e4f71adb18a4ec8834

Download Submit
C:\ProgramData\hidzdd\TBktrH.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\ProgramData\hidzdd\uQuePa.txt
Filesize
235KB

MD5
ea2739c7c18dcfca6c534a73c7263cda

SHA1
98156ad57c3f3f9afccd286865ac18dfaed18e5e

SHA256
f86158b6da47d5dad30e12736d0a971713610f35d64dd8b80bfe0608d765b863

SHA512
82d09944b32ef8b270cf81399fb3d55375728b6e3cfbc6f1e5f004b636fe0ca4e9f82b60af61c95ed23182128aacc3423c77a5055aa3663ad4a499b8b5ba0053

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiDZdd
Filesize
10KB

MD5
159aa0635b2dc54aac20ad0d63a9404b

SHA1
6b906a673cb647b9ea7b03ee87219e6fa82a9d5e

SHA256
806db9ceceb847fd60130960928fc8c189b3c61a5cbc05e02d77a358b0c95605

SHA512
f6d744b6e35bd6800710d1f864136370c7080e43fcef5b9f2742cf595b6354705bfd07bed36f507abeacb9bbe1fb2e631f71ea9cf77096062f0672e712e932ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBktrH.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBktrH.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQuePa.txt
Filesize
235KB

MD5
ea2739c7c18dcfca6c534a73c7263cda

SHA1
98156ad57c3f3f9afccd286865ac18dfaed18e5e

SHA256
f86158b6da47d5dad30e12736d0a971713610f35d64dd8b80bfe0608d765b863

SHA512
82d09944b32ef8b270cf81399fb3d55375728b6e3cfbc6f1e5f004b636fe0ca4e9f82b60af61c95ed23182128aacc3423c77a5055aa3663ad4a499b8b5ba0053

Download Submit
\Users\Admin\AppData\Local\Temp\TBktrH.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
memory/680-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-68-0x00000000004574F0-mapping.dmp

Download
memory/680-70-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-74-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-105-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/796-55-0x0000000000000000-mapping.dmp

Download
memory/884-77-0x0000000000000000-mapping.dmp

Download
memory/1100-114-0x0000000000000000-mapping.dmp

Download
memory/1100-78-0x0000000000000000-mapping.dmp

Download
memory/1128-87-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1128-84-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1128-85-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1128-108-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1128-88-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1128-89-0x000000000041AEF0-mapping.dmp

Download
memory/1128-111-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1128-97-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1128-98-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1128-104-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1148-58-0x0000000000000000-mapping.dmp

Download
memory/1156-116-0x0000000000000000-mapping.dmp

Download
memory/1272-113-0x0000000000000000-mapping.dmp

Download
memory/1536-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1604-107-0x0000000000000000-mapping.dmp

Download
memory/1660-79-0x0000000000000000-mapping.dmp

Download
memory/1876-76-0x0000000000000000-mapping.dmp

Download
memory/1880-106-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/2020-110-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2020-109-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2020-96-0x000000000041AEF0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads