pony | daa8802270996f3d7b4835fd9fba42da054ad1a58403854c0f86b0666c631ac1

Analysis

max time kernel
208s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113.exe
Size

721KB
MD5

dcf4149718fb8d5a31976034452cb574
SHA1

aef9286d24812051ebca0188a8c4dbaa833a6e3d
SHA256

8aaace67e12ccd71bf30a3b844a81738860dde289f48ee41e61a42bc5797bf25
SHA512

82d4c6c469bc75f9b11cffc7b8d71c262aeb4138162562b3dc3ddc8a5bcd256a51e0171f4f8b6e3e486e391a8c32ecfaf63c0bbef639d83ca806772bd4f48f9c
SSDEEP

12288:U5OnerWhEgD3H08lJDftfNtsj4MNNtCYzsjgdXWYPPm6TWSvCrXIsB3BnqBzsTdN:UInN5k8lX/u4MNNInmjYIkBqzzAuN7st

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://www.warlordsltd.in/wordpress/wp-admin/css/colors/fox/panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 6 IoCs

pid	Process
4656	JAVLPR.exe
2820	452.exe
4380	whnqbo.exe
1356	osix.exe
2576	osix.exe
1392	osix.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral26/memory/4316-139-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral26/memory/4316-141-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral26/memory/4316-142-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral26/memory/4316-145-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral26/files/0x000b000000023159-147.dat	upx
behavioral26/files/0x000b000000023159-148.dat	upx
behavioral26/memory/2820-154-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral26/memory/4316-177-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral26/memory/2820-178-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	113.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	452.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	452.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	452.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Guydaw = "C:\\Users\\Admin\\AppData\\Roaming\\Eczy\\osix.exe"	osix.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\Currentversion\Run	osix.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	osix.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 4316	4656	JAVLPR.exe	86
PID 4316 set thread context of 4380	4316	svchost.exe	88
PID 4316 set thread context of 2576	4316	svchost.exe	93
PID 4316 set thread context of 1392	4316	svchost.exe	94
PID 2820 set thread context of 2848	2820	452.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Privacy	452.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	452.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
4656	JAVLPR.exe
4656	JAVLPR.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe
2576	osix.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4380	whnqbo.exe
Token: SeSecurityPrivilege	4380	whnqbo.exe
Token: SeImpersonatePrivilege	2820	452.exe
Token: SeTcbPrivilege	2820	452.exe
Token: SeChangeNotifyPrivilege	2820	452.exe
Token: SeCreateTokenPrivilege	2820	452.exe
Token: SeBackupPrivilege	2820	452.exe
Token: SeRestorePrivilege	2820	452.exe
Token: SeIncreaseQuotaPrivilege	2820	452.exe
Token: SeAssignPrimaryTokenPrivilege	2820	452.exe
Token: SeImpersonatePrivilege	2820	452.exe
Token: SeTcbPrivilege	2820	452.exe
Token: SeChangeNotifyPrivilege	2820	452.exe
Token: SeCreateTokenPrivilege	2820	452.exe
Token: SeBackupPrivilege	2820	452.exe
Token: SeRestorePrivilege	2820	452.exe
Token: SeIncreaseQuotaPrivilege	2820	452.exe
Token: SeAssignPrimaryTokenPrivilege	2820	452.exe
Token: SeSecurityPrivilege	2820	452.exe
Token: SeSecurityPrivilege	2820	452.exe
Token: SeImpersonatePrivilege	2820	452.exe
Token: SeTcbPrivilege	2820	452.exe
Token: SeChangeNotifyPrivilege	2820	452.exe
Token: SeCreateTokenPrivilege	2820	452.exe
Token: SeBackupPrivilege	2820	452.exe
Token: SeRestorePrivilege	2820	452.exe
Token: SeIncreaseQuotaPrivilege	2820	452.exe
Token: SeAssignPrimaryTokenPrivilege	2820	452.exe
Token: SeImpersonatePrivilege	2820	452.exe
Token: SeTcbPrivilege	2820	452.exe
Token: SeChangeNotifyPrivilege	2820	452.exe
Token: SeCreateTokenPrivilege	2820	452.exe
Token: SeBackupPrivilege	2820	452.exe
Token: SeRestorePrivilege	2820	452.exe
Token: SeIncreaseQuotaPrivilege	2820	452.exe
Token: SeAssignPrimaryTokenPrivilege	2820	452.exe
Token: SeImpersonatePrivilege	2820	452.exe
Token: SeTcbPrivilege	2820	452.exe
Token: SeChangeNotifyPrivilege	2820	452.exe
Token: SeCreateTokenPrivilege	2820	452.exe
Token: SeBackupPrivilege	2820	452.exe
Token: SeRestorePrivilege	2820	452.exe
Token: SeIncreaseQuotaPrivilege	2820	452.exe
Token: SeAssignPrimaryTokenPrivilege	2820	452.exe
Token: SeImpersonatePrivilege	2820	452.exe
Token: SeTcbPrivilege	2820	452.exe
Token: SeChangeNotifyPrivilege	2820	452.exe
Token: SeCreateTokenPrivilege	2820	452.exe
Token: SeBackupPrivilege	2820	452.exe
Token: SeRestorePrivilege	2820	452.exe
Token: SeIncreaseQuotaPrivilege	2820	452.exe
Token: SeAssignPrimaryTokenPrivilege	2820	452.exe
Token: SeSecurityPrivilege	2820	452.exe
Token: SeSecurityPrivilege	2820	452.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4316	svchost.exe
1356	osix.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 4656	3320	113.exe	84
PID 3320 wrote to memory of 4656	3320	113.exe	84
PID 3320 wrote to memory of 4656	3320	113.exe	84
PID 4656 wrote to memory of 4316	4656	JAVLPR.exe	86
PID 4656 wrote to memory of 4316	4656	JAVLPR.exe	86
PID 4656 wrote to memory of 4316	4656	JAVLPR.exe	86
PID 4656 wrote to memory of 4316	4656	JAVLPR.exe	86
PID 4656 wrote to memory of 4316	4656	JAVLPR.exe	86
PID 4656 wrote to memory of 4316	4656	JAVLPR.exe	86
PID 4656 wrote to memory of 4316	4656	JAVLPR.exe	86
PID 4656 wrote to memory of 4316	4656	JAVLPR.exe	86
PID 4316 wrote to memory of 2820	4316	svchost.exe	87
PID 4316 wrote to memory of 2820	4316	svchost.exe	87
PID 4316 wrote to memory of 2820	4316	svchost.exe	87
PID 4316 wrote to memory of 4380	4316	svchost.exe	88
PID 4316 wrote to memory of 4380	4316	svchost.exe	88
PID 4316 wrote to memory of 4380	4316	svchost.exe	88
PID 4316 wrote to memory of 4380	4316	svchost.exe	88
PID 4316 wrote to memory of 4380	4316	svchost.exe	88
PID 4316 wrote to memory of 4380	4316	svchost.exe	88
PID 4316 wrote to memory of 4380	4316	svchost.exe	88
PID 4316 wrote to memory of 4380	4316	svchost.exe	88
PID 4380 wrote to memory of 1356	4380	whnqbo.exe	90
PID 4380 wrote to memory of 1356	4380	whnqbo.exe	90
PID 4380 wrote to memory of 1356	4380	whnqbo.exe	90
PID 4380 wrote to memory of 2940	4380	whnqbo.exe	91
PID 4380 wrote to memory of 2940	4380	whnqbo.exe	91
PID 4380 wrote to memory of 2940	4380	whnqbo.exe	91
PID 4316 wrote to memory of 2576	4316	svchost.exe	93
PID 4316 wrote to memory of 2576	4316	svchost.exe	93
PID 4316 wrote to memory of 2576	4316	svchost.exe	93
PID 4316 wrote to memory of 2576	4316	svchost.exe	93
PID 4316 wrote to memory of 2576	4316	svchost.exe	93
PID 4316 wrote to memory of 2576	4316	svchost.exe	93
PID 4316 wrote to memory of 2576	4316	svchost.exe	93
PID 4316 wrote to memory of 2576	4316	svchost.exe	93
PID 2576 wrote to memory of 2744	2576	osix.exe	50
PID 2576 wrote to memory of 2744	2576	osix.exe	50
PID 2576 wrote to memory of 2744	2576	osix.exe	50
PID 2576 wrote to memory of 2744	2576	osix.exe	50
PID 2576 wrote to memory of 2744	2576	osix.exe	50
PID 2576 wrote to memory of 2832	2576	osix.exe	49
PID 2576 wrote to memory of 2832	2576	osix.exe	49
PID 2576 wrote to memory of 2832	2576	osix.exe	49
PID 2576 wrote to memory of 2832	2576	osix.exe	49
PID 2576 wrote to memory of 2832	2576	osix.exe	49
PID 2576 wrote to memory of 2896	2576	osix.exe	48
PID 2576 wrote to memory of 2896	2576	osix.exe	48
PID 2576 wrote to memory of 2896	2576	osix.exe	48
PID 2576 wrote to memory of 2896	2576	osix.exe	48
PID 2576 wrote to memory of 2896	2576	osix.exe	48
PID 2576 wrote to memory of 1028	2576	osix.exe	42
PID 2576 wrote to memory of 1028	2576	osix.exe	42
PID 2576 wrote to memory of 1028	2576	osix.exe	42
PID 2576 wrote to memory of 1028	2576	osix.exe	42
PID 2576 wrote to memory of 1028	2576	osix.exe	42
PID 2576 wrote to memory of 2876	2576	osix.exe	47
PID 2576 wrote to memory of 2876	2576	osix.exe	47
PID 2576 wrote to memory of 2876	2576	osix.exe	47
PID 2576 wrote to memory of 2876	2576	osix.exe	47
PID 2576 wrote to memory of 2876	2576	osix.exe	47
PID 2576 wrote to memory of 3252	2576	osix.exe	46
PID 2576 wrote to memory of 3252	2576	osix.exe	46
PID 2576 wrote to memory of 3252	2576	osix.exe	46

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	452.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1028
- C:\Users\Admin\AppData\Local\Temp\113.exe
  "C:\Users\Admin\AppData\Local\Temp\113.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\JAVLPR.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JAVLPR.exe" "whnqBO"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Users\Admin\AppData\Roaming\452.exe
        
        "C:\Users\Admin\AppData\Roaming\452.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of SetThreadContext
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        outlook_win_path
        
        PID:2820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240655687.bat" "C:\Users\Admin\AppData\Roaming\452.exe" "
        6⤵
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\whnqbo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\whnqbo.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Users\Admin\AppData\Roaming\Eczy\osix.exe
        
        "C:\Users\Admin\AppData\Roaming\Eczy\osix.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbfd1c7fd.bat"
        6⤵
        
        PID:2940
    - - C:\Users\Admin\AppData\Roaming\Eczy\osix.exe
        
        "C:\Users\Admin\AppData\Roaming\Eczy\osix.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2576
    - - C:\Users\Admin\AppData\Roaming\Eczy\osix.exe
        
        "C:\Users\Admin\AppData\Roaming\Eczy\osix.exe"
        5⤵
        Executes dropped EXE
        
        PID:1392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2876

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2832

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4480

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4444

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4280

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\JAVLPR.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JAVLPR.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KPfWmk.txt

Filesize
624KB

MD5
211902e16e3130b5aca8041cc3afcedd

SHA1
890fa2c7f24a86f97aff48eea863139a45551886

SHA256
ef628f0c9ae2f7f743f2e972e08be9a843d2e5b8100e49dcf71bde3d3138bbff

SHA512
f81b51e00f39645728bb659ebd4b80042029c12369ea57bb716c6adcf2e75a36c0a1964c37f1d65c9babb3e0a1ef7bcc354b5a72c75ea3411831668c8c3676de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\whnqBO

Filesize
5KB

MD5
ea64e4fa21d4c079e5f9a6421b0feaa4

SHA1
662a15640ca2bedebb7de68af76991e383a55ad3

SHA256
107d31cb984c6aec3eb946e6dad58a15117d844887cc3735785cce6819c9d4c8

SHA512
4f59c68cd0119909420ccfcc6b48b9ea823972845e072b31925818c8c2167f8bfde32ab18c19062eea0d3a74eab70572bab5607b94a656579b093a698e4ae532

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xwxbYh.exe

Filesize
102KB

MD5
fa04df606322d21c47562709bd39baf9

SHA1
63403adbe8c61ba473f35cec6681f85b4682c8f8

SHA256
b6cda79c50e1503be7022a9fbcc4417221afd166f5cae9c3ebe4f093524abc50

SHA512
01a8b16c6965aad459415f06395cc649703a9c2cc51fa78cee219a8da1d36bd880ecddd1618b5f6edd9f127cf3b5f87f679038454dea52b986cb293f849c4a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.txt

Filesize
42B

MD5
e52790f5d2d6bd0be5ce6714cf0a756a

SHA1
37084354c299c9f1663354e5e8003e2accd5d008

SHA256
67801943b0c129223f3d1fcf38253869215fd3a4d80afc8c88e828c647743905

SHA512
9588dcd69eda6b1af25ec7ceae3ac7b9d30f1d0c137e9d77932f40c12ab906975e7d0762eac6e62b5cecc1a0b3a672db9a08ebb00c9fdaa23a1b9b5ee913efb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpbfd1c7fd.bat

Filesize
191B

MD5
ad1331e4e1df9cbb952626e3aaf0a7c8

SHA1
9aacdfb17821daadecf82ad6bda2704fbb285af4

SHA256
b5eccbef16a9e9cd2b22169fbbdc6a564610962c556f3d0f1ca83b48685416a6

SHA512
148434b4e685e28aadbf51602764a58641b4ecc87b649c3cb2886a7b002655fbb57989c3ea208b1c9e68fe3ceb71c681ee4eb1502010cea48bb9add74897d003

Download Submit
C:\Users\Admin\AppData\Local\Temp\whnqbo.exe

Filesize
21KB

MD5
0c5ad6132af88310b78a1cc7a2b064f0

SHA1
6b31e1340d13fe5d2269ae30d4fd207acaa8b8f5

SHA256
1709f78c047c377fb3f31ce4eedf20ba7eef80cb49bce72eaa516e14e39a0de9

SHA512
c2cc3042ab60c07e7cdff88d60299948783a5d9dba253bf843fd88d6fe280a1999d1f25b1d6e69e81cf247ca78c87e690fb53b8fe45bb4f4f7b3c403205a26d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\whnqbo.exe

Filesize
21KB

MD5
0c5ad6132af88310b78a1cc7a2b064f0

SHA1
6b31e1340d13fe5d2269ae30d4fd207acaa8b8f5

SHA256
1709f78c047c377fb3f31ce4eedf20ba7eef80cb49bce72eaa516e14e39a0de9

SHA512
c2cc3042ab60c07e7cdff88d60299948783a5d9dba253bf843fd88d6fe280a1999d1f25b1d6e69e81cf247ca78c87e690fb53b8fe45bb4f4f7b3c403205a26d5

Download Submit
C:\Users\Admin\AppData\Roaming\452.exe

Filesize
34KB

MD5
082e80a5ab80bf298982830cec80c543

SHA1
4b870d1a37adf10b87774668143b7e757a1aba85

SHA256
1d4a0ed15917adbd10f3e11b776fbc2dca4ace600ecb912471c9e6fd066ec2e1

SHA512
59ffb70275592ecabaa9e371704929f9866e2849a0b631f1fc91a27afe9235b5549a7085373f0603de8376df94fae064951882bafcf0db15b01e58d8a6423fb7

Download Submit
C:\Users\Admin\AppData\Roaming\452.exe

Filesize
34KB

MD5
082e80a5ab80bf298982830cec80c543

SHA1
4b870d1a37adf10b87774668143b7e757a1aba85

SHA256
1d4a0ed15917adbd10f3e11b776fbc2dca4ace600ecb912471c9e6fd066ec2e1

SHA512
59ffb70275592ecabaa9e371704929f9866e2849a0b631f1fc91a27afe9235b5549a7085373f0603de8376df94fae064951882bafcf0db15b01e58d8a6423fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Eczy\osix.exe

Filesize
21KB

MD5
75356bd0b88607accbde231c0f671dc0

SHA1
cc84081ab420effae55db917490bebbdc4b844ab

SHA256
9b96d8e985be428110a40b4bca84d7f9721ee9812a8510b6c86e9591be5625db

SHA512
b18757afac9e11f2f7efd1872f6957540802db4016a69dcddb95dd439689f262d7e2a0a3eb3c720e0a316332a818e536ab37fb79c169329b17312d1e752c0455

Download Submit
C:\Users\Admin\AppData\Roaming\Eczy\osix.exe

Filesize
21KB

MD5
75356bd0b88607accbde231c0f671dc0

SHA1
cc84081ab420effae55db917490bebbdc4b844ab

SHA256
9b96d8e985be428110a40b4bca84d7f9721ee9812a8510b6c86e9591be5625db

SHA512
b18757afac9e11f2f7efd1872f6957540802db4016a69dcddb95dd439689f262d7e2a0a3eb3c720e0a316332a818e536ab37fb79c169329b17312d1e752c0455

Download Submit
C:\Users\Admin\AppData\Roaming\Eczy\osix.exe

Filesize
21KB

MD5
75356bd0b88607accbde231c0f671dc0

SHA1
cc84081ab420effae55db917490bebbdc4b844ab

SHA256
9b96d8e985be428110a40b4bca84d7f9721ee9812a8510b6c86e9591be5625db

SHA512
b18757afac9e11f2f7efd1872f6957540802db4016a69dcddb95dd439689f262d7e2a0a3eb3c720e0a316332a818e536ab37fb79c169329b17312d1e752c0455

Download Submit
C:\Users\Admin\AppData\Roaming\Eczy\osix.exe

Filesize
21KB

MD5
75356bd0b88607accbde231c0f671dc0

SHA1
cc84081ab420effae55db917490bebbdc4b844ab

SHA256
9b96d8e985be428110a40b4bca84d7f9721ee9812a8510b6c86e9591be5625db

SHA512
b18757afac9e11f2f7efd1872f6957540802db4016a69dcddb95dd439689f262d7e2a0a3eb3c720e0a316332a818e536ab37fb79c169329b17312d1e752c0455

Download Submit
C:\Users\Admin\AppData\Roaming\Keakeb\erki.uqs

Filesize
2KB

MD5
9189bd25794aa324a873725d52dd63c9

SHA1
19f7227d1bed208ffe9590987168d78bb64c3068

SHA256
538adbaae4714fac2e68dbe2a0567e98ea88d923d43a72c59e5ec397eacbf1c4

SHA512
8d0cc8213ff8dc0c389d348b546ee8c624271cc8fc87da029b7baa5bc7724024428ee3b7875a04c077a7871e36d2788c5b6769eea73f6afcc56e0032aea0c7d1

Download Submit
memory/1392-176-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2576-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2820-178-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2820-154-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2820-171-0x0000000002D70000-0x0000000002DAB000-memory.dmp

Filesize
236KB

Download
memory/2820-179-0x0000000002D70000-0x0000000002DAB000-memory.dmp

Filesize
236KB

Download
memory/2848-182-0x0000000001200000-0x000000000123B000-memory.dmp

Filesize
236KB

Download
memory/2848-183-0x0000000001200000-0x000000000123B000-memory.dmp

Filesize
236KB

Download
memory/4316-145-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4316-170-0x0000000004840000-0x000000000487B000-memory.dmp

Filesize
236KB

Download
memory/4316-177-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4316-142-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4316-141-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4316-139-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4380-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4380-155-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4380-150-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download