pony | 7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0

General

Target

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
Size

596KB
MD5

3bd0f5a04952c1f522e51b509c12a370
SHA1

0c788da376cc061c393d9deec22b759c195020fb
SHA256

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0
SHA512

838184f5f20ec29fda8965447be81eb254fb5f49c1468a83654a868ee7d8fcce75d651252f1781e3998810658d489498b5de2bd76c59c1f0cd051d671b05ad23
SSDEEP

12288:ko0ZjcnNr3SP4Ybgob0vSZcVm/IMnfiNAKrObQnOxTYS:kPZjcnx64eIvFMIQ6PrOcnCYS

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://osinachi.site40.net/helo/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

bCnqnn.exe

pid process

3080 bCnqnn.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3028-139-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3028-141-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3028-142-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3028-145-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3588-155-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3588-157-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3588-158-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3588-159-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3028-164-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3588-165-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3588-166-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3800 icacls.exe

pid	process
3800	icacls.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

bCnqnn.exesvchost.exe

description	pid	process	target process
PID 3080 set thread context of 3028	3080	bCnqnn.exe	svchost.exe
PID 3028 set thread context of 3588	3028	svchost.exe	svchost.exe
PID 3028 set thread context of 2448	3028	svchost.exe	svchost.exe
PID 3028 set thread context of 2216	3028	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4204 2216 WerFault.exe svchost.exe
3372 2448 WerFault.exe svchost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4664 schtasks.exe

pid	pid_target	process	target process
4204	2216	WerFault.exe	svchost.exe
3372	2448	WerFault.exe	svchost.exe

pid	process
4664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

bCnqnn.exesvchost.exe

pid	process
3080	bCnqnn.exe
3080	bCnqnn.exe
3080	bCnqnn.exe
3080	bCnqnn.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe
3028	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeImpersonatePrivilege	3588	svchost.exe
Token: SeTcbPrivilege	3588	svchost.exe
Token: SeChangeNotifyPrivilege	3588	svchost.exe
Token: SeCreateTokenPrivilege	3588	svchost.exe
Token: SeBackupPrivilege	3588	svchost.exe
Token: SeRestorePrivilege	3588	svchost.exe
Token: SeIncreaseQuotaPrivilege	3588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3588	svchost.exe
Token: SeImpersonatePrivilege	3588	svchost.exe
Token: SeTcbPrivilege	3588	svchost.exe
Token: SeChangeNotifyPrivilege	3588	svchost.exe
Token: SeCreateTokenPrivilege	3588	svchost.exe
Token: SeBackupPrivilege	3588	svchost.exe
Token: SeRestorePrivilege	3588	svchost.exe
Token: SeIncreaseQuotaPrivilege	3588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3588	svchost.exe
Token: SeImpersonatePrivilege	3588	svchost.exe
Token: SeTcbPrivilege	3588	svchost.exe
Token: SeChangeNotifyPrivilege	3588	svchost.exe
Token: SeCreateTokenPrivilege	3588	svchost.exe
Token: SeBackupPrivilege	3588	svchost.exe
Token: SeRestorePrivilege	3588	svchost.exe
Token: SeIncreaseQuotaPrivilege	3588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3588	svchost.exe
Token: SeImpersonatePrivilege	3588	svchost.exe
Token: SeTcbPrivilege	3588	svchost.exe
Token: SeChangeNotifyPrivilege	3588	svchost.exe
Token: SeCreateTokenPrivilege	3588	svchost.exe
Token: SeBackupPrivilege	3588	svchost.exe
Token: SeRestorePrivilege	3588	svchost.exe
Token: SeIncreaseQuotaPrivilege	3588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3588	svchost.exe
Token: SeImpersonatePrivilege	3588	svchost.exe
Token: SeTcbPrivilege	3588	svchost.exe
Token: SeChangeNotifyPrivilege	3588	svchost.exe
Token: SeCreateTokenPrivilege	3588	svchost.exe
Token: SeBackupPrivilege	3588	svchost.exe
Token: SeRestorePrivilege	3588	svchost.exe
Token: SeIncreaseQuotaPrivilege	3588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3588	svchost.exe
Token: SeImpersonatePrivilege	3588	svchost.exe
Token: SeTcbPrivilege	3588	svchost.exe
Token: SeChangeNotifyPrivilege	3588	svchost.exe
Token: SeCreateTokenPrivilege	3588	svchost.exe
Token: SeBackupPrivilege	3588	svchost.exe
Token: SeRestorePrivilege	3588	svchost.exe
Token: SeIncreaseQuotaPrivilege	3588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3588	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe

pid	process
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe

pid	process
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3028 svchost.exe

pid	process
3028	svchost.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.execmd.exebCnqnn.exesvchost.execmd.exeWScript.exe

description	pid	process	target process
PID 1344 wrote to memory of 3124	1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe	cmd.exe
PID 1344 wrote to memory of 3124	1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe	cmd.exe
PID 1344 wrote to memory of 3124	1344	7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe	cmd.exe
PID 3124 wrote to memory of 3080	3124	cmd.exe	bCnqnn.exe
PID 3124 wrote to memory of 3080	3124	cmd.exe	bCnqnn.exe
PID 3124 wrote to memory of 3080	3124	cmd.exe	bCnqnn.exe
PID 3080 wrote to memory of 3028	3080	bCnqnn.exe	svchost.exe
PID 3080 wrote to memory of 3028	3080	bCnqnn.exe	svchost.exe
PID 3080 wrote to memory of 3028	3080	bCnqnn.exe	svchost.exe
PID 3080 wrote to memory of 3028	3080	bCnqnn.exe	svchost.exe
PID 3080 wrote to memory of 3028	3080	bCnqnn.exe	svchost.exe
PID 3080 wrote to memory of 3028	3080	bCnqnn.exe	svchost.exe
PID 3080 wrote to memory of 3028	3080	bCnqnn.exe	svchost.exe
PID 3080 wrote to memory of 3028	3080	bCnqnn.exe	svchost.exe
PID 3028 wrote to memory of 4368	3028	svchost.exe	schtasks.exe
PID 3028 wrote to memory of 4368	3028	svchost.exe	schtasks.exe
PID 3028 wrote to memory of 4368	3028	svchost.exe	schtasks.exe
PID 3028 wrote to memory of 4664	3028	svchost.exe	schtasks.exe
PID 3028 wrote to memory of 4664	3028	svchost.exe	schtasks.exe
PID 3028 wrote to memory of 4664	3028	svchost.exe	schtasks.exe
PID 3028 wrote to memory of 1124	3028	svchost.exe	cmd.exe
PID 3028 wrote to memory of 1124	3028	svchost.exe	cmd.exe
PID 3028 wrote to memory of 1124	3028	svchost.exe	cmd.exe
PID 1124 wrote to memory of 3800	1124	cmd.exe	icacls.exe
PID 1124 wrote to memory of 3800	1124	cmd.exe	icacls.exe
PID 1124 wrote to memory of 3800	1124	cmd.exe	icacls.exe
PID 3028 wrote to memory of 3588	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 3588	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 3588	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 3588	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 3588	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 3588	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 3588	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 3588	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 2448	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 2448	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 2448	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 2448	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 2216	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 2216	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 2216	3028	svchost.exe	svchost.exe
PID 3028 wrote to memory of 2216	3028	svchost.exe	svchost.exe
PID 2544 wrote to memory of 2980	2544	WScript.exe	cmd.exe
PID 2544 wrote to memory of 2980	2544	WScript.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe
"C:\Users\Admin\AppData\Local\Temp\7de1bf92bf36e8bc2affa006547ff2809a927a2d489ae8b34c2d57b83b88b9c0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe PjGWZk
2⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe PjGWZk
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn WindowsUpdatepjgwzk0x8429524
5⤵
PID:4368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn WindowsUpdatepjgwzk0x8429525 /tr "C:\ProgramData\pjgwzk\QyQhwE.vbs" /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:4664

C:\Windows\SysWOW64\cmd.exe
cmd /c icacls "C:\ProgramData\pjgwzk" /deny %username%:F
5⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\pjgwzk" /deny Admin:F
6⤵
- Modifies file permissions
PID:3800

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:3588

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 84
6⤵
- Program crash
PID:3372

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 84
6⤵
- Program crash
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2448 -ip 2448
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2216 -ip 2216
1⤵
PID:3116

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\pjgwzk\QyQhwE.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\pjgwzk\\bCnqnn.exe C:\ProgramData\pjgwzk\\PjGWZk
2⤵
PID:2980

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\pjgwzk\QyQhwE.vbs"
1⤵
- Checks computer location settings
PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pjgwzk\DRxCLH.txt
Filesize
235KB

MD5
6dfceb0fdc7b6958a79935c14bf91b57

SHA1
ab47d02095a048dbd68b15c569ae1ba52ec075a7

SHA256
3fb850a10aceabd25719ce1c75602f65c3708df58a62b4ebac5624f9711cfd05

SHA512
f182122c2f256e3dc9e2062a30858f56430b91178493bdeac2a341612e42ecdab29d071649b53247fa9f74443a89461848632ef221fc5b868233dffa77462267

Download Submit
C:\ProgramData\pjgwzk\PjGWZk
Filesize
7KB

MD5
121df8c2cc00e500a6f33cae4efd3e83

SHA1
c50fdb4557fd29b8da3418bbd970dacebdd2ba3a

SHA256
1c67c07d32e8522feae55034d67cbdf9a895b1306cc8da6730476f10389361e6

SHA512
c1afc91180d39c7032db1b2bc417fb901ae718cc141a02758037d6c783529012cff6acba90947ad18c1a75315d6279ada684c3335f00e68a6b406f5cbdd6fb34

Download Submit
C:\ProgramData\pjgwzk\QyQhwE.vbs
Filesize
274B

MD5
343c3ab8edd666ae4e44d266dc9611e5

SHA1
6167154c295c26716c25f60b58c833aa0db6cf56

SHA256
7a98d15cb760c591ee075ac9f302b9d44a2dc56e53179f77042d29352f96e8a3

SHA512
168890b6dd9db80b01176ee07a0e6b2976141886016b92254404f66063bc8402271b9e0212dcf121c0ad4bf8f23a9df5142ad5e2adda05079468485ac0c6647d

Download Submit
C:\ProgramData\pjgwzk\bCnqnn.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRxCLH.txt
Filesize
235KB

MD5
6dfceb0fdc7b6958a79935c14bf91b57

SHA1
ab47d02095a048dbd68b15c569ae1ba52ec075a7

SHA256
3fb850a10aceabd25719ce1c75602f65c3708df58a62b4ebac5624f9711cfd05

SHA512
f182122c2f256e3dc9e2062a30858f56430b91178493bdeac2a341612e42ecdab29d071649b53247fa9f74443a89461848632ef221fc5b868233dffa77462267

Download Submit
C:\Users\Admin\AppData\Local\Temp\PjGWZk
Filesize
7KB

MD5
121df8c2cc00e500a6f33cae4efd3e83

SHA1
c50fdb4557fd29b8da3418bbd970dacebdd2ba3a

SHA256
1c67c07d32e8522feae55034d67cbdf9a895b1306cc8da6730476f10389361e6

SHA512
c1afc91180d39c7032db1b2bc417fb901ae718cc141a02758037d6c783529012cff6acba90947ad18c1a75315d6279ada684c3335f00e68a6b406f5cbdd6fb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCnqnn.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
memory/1124-148-0x0000000000000000-mapping.dmp

Download
memory/2216-162-0x0000000000000000-mapping.dmp

Download
memory/2448-160-0x0000000000000000-mapping.dmp

Download
memory/2980-167-0x0000000000000000-mapping.dmp

Download
memory/3028-164-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3028-145-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3028-142-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3028-141-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3028-139-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3028-138-0x0000000000000000-mapping.dmp

Download
memory/3080-133-0x0000000000000000-mapping.dmp

Download
memory/3124-132-0x0000000000000000-mapping.dmp

Download
memory/3588-157-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3588-155-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3588-158-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3588-159-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3588-154-0x0000000000000000-mapping.dmp

Download
memory/3588-165-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3588-166-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3800-149-0x0000000000000000-mapping.dmp

Download
memory/4368-146-0x0000000000000000-mapping.dmp

Download
memory/4664-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads