pony | daa8802270996f3d7b4835fd9fba42da054ad1a58403854c0f86b0666c631ac1

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114.exe
Size

928KB
MD5

1a3e186988e76f505a858eb30d77fa72
SHA1

c9a8f4429f588f2332b2e61bbdd67bbe7b9128c3
SHA256

d40a88423f47facdc46b66e7250866c8280b53733c1e366a077e8925aaa71953
SHA512

7fe896b8f7a1e5f091ed5f19a559adb5a29b4bc703cfa161adafe73cd71bdf18cf438c0c46bc96187288727dbc45e337fa8b14d1b80b7deef9a964df82d85ce3
SSDEEP

12288:x5OEfJo1mJxRHHE6mRsc9gC8NLhPtD6IA1x2eU8iacTSUvpvEIF8BQa7zPPm6TW4:xIEfJYOWQb8uTSURpF2NYIkBqzzKuN7v

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://www.warlordsltd.in/wordpress/wp-admin/css/colors/fox/panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 6 IoCs

pid	Process
1220	yiCrfu.exe
1684	1507.exe
1020	mqtxrr.exe
1852	liloo.exe
1508	liloo.exe
1500	liloo.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral27/memory/1964-64-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral27/memory/1964-66-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral27/memory/1964-67-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral27/memory/1964-70-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral27/memory/1964-72-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral27/files/0x000600000001560c-76.dat	upx
behavioral27/files/0x000600000001560c-77.dat	upx
behavioral27/files/0x000600000001560c-79.dat	upx
behavioral27/memory/1684-97-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral27/memory/1684-100-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral27/files/0x000600000001560c-102.dat	upx
behavioral27/memory/1964-189-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Loads dropped DLL 11 IoCs

pid	Process
1308	114.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1020	mqtxrr.exe
1020	mqtxrr.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1507.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1507.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	liloo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	liloo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Movea = "C:\\Users\\Admin\\AppData\\Roaming\\Nitaz\\liloo.exe"	liloo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 1964	1220	yiCrfu.exe	28
PID 1964 set thread context of 1020	1964	svchost.exe	30
PID 1964 set thread context of 1508	1964	svchost.exe	37
PID 1964 set thread context of 1500	1964	svchost.exe	39
PID 1964 set thread context of 1500	1964	svchost.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	svchost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\72D734D4-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1220	yiCrfu.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe
1508	liloo.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1020	mqtxrr.exe
Token: SeSecurityPrivilege	1020	mqtxrr.exe
Token: SeImpersonatePrivilege	1684	1507.exe
Token: SeTcbPrivilege	1684	1507.exe
Token: SeChangeNotifyPrivilege	1684	1507.exe
Token: SeCreateTokenPrivilege	1684	1507.exe
Token: SeBackupPrivilege	1684	1507.exe
Token: SeRestorePrivilege	1684	1507.exe
Token: SeIncreaseQuotaPrivilege	1684	1507.exe
Token: SeAssignPrimaryTokenPrivilege	1684	1507.exe
Token: SeImpersonatePrivilege	1684	1507.exe
Token: SeTcbPrivilege	1684	1507.exe
Token: SeChangeNotifyPrivilege	1684	1507.exe
Token: SeCreateTokenPrivilege	1684	1507.exe
Token: SeBackupPrivilege	1684	1507.exe
Token: SeRestorePrivilege	1684	1507.exe
Token: SeIncreaseQuotaPrivilege	1684	1507.exe
Token: SeAssignPrimaryTokenPrivilege	1684	1507.exe
Token: SeImpersonatePrivilege	1684	1507.exe
Token: SeTcbPrivilege	1684	1507.exe
Token: SeChangeNotifyPrivilege	1684	1507.exe
Token: SeCreateTokenPrivilege	1684	1507.exe
Token: SeBackupPrivilege	1684	1507.exe
Token: SeRestorePrivilege	1684	1507.exe
Token: SeIncreaseQuotaPrivilege	1684	1507.exe
Token: SeAssignPrimaryTokenPrivilege	1684	1507.exe
Token: SeImpersonatePrivilege	1684	1507.exe
Token: SeTcbPrivilege	1684	1507.exe
Token: SeChangeNotifyPrivilege	1684	1507.exe
Token: SeCreateTokenPrivilege	1684	1507.exe
Token: SeBackupPrivilege	1684	1507.exe
Token: SeRestorePrivilege	1684	1507.exe
Token: SeIncreaseQuotaPrivilege	1684	1507.exe
Token: SeAssignPrimaryTokenPrivilege	1684	1507.exe
Token: SeSecurityPrivilege	1964	svchost.exe
Token: SeSecurityPrivilege	1964	svchost.exe
Token: SeSecurityPrivilege	1964	svchost.exe
Token: SeSecurityPrivilege	1964	svchost.exe
Token: SeSecurityPrivilege	1964	svchost.exe
Token: SeSecurityPrivilege	1964	svchost.exe
Token: SeManageVolumePrivilege	760	WinMail.exe
Token: SeSecurityPrivilege	1964	svchost.exe
Token: SeSecurityPrivilege	1964	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
760	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
760	WinMail.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1964	svchost.exe
1852	liloo.exe
760	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1220	1308	114.exe	27
PID 1308 wrote to memory of 1220	1308	114.exe	27
PID 1308 wrote to memory of 1220	1308	114.exe	27
PID 1308 wrote to memory of 1220	1308	114.exe	27
PID 1220 wrote to memory of 1964	1220	yiCrfu.exe	28
PID 1220 wrote to memory of 1964	1220	yiCrfu.exe	28
PID 1220 wrote to memory of 1964	1220	yiCrfu.exe	28
PID 1220 wrote to memory of 1964	1220	yiCrfu.exe	28
PID 1220 wrote to memory of 1964	1220	yiCrfu.exe	28
PID 1220 wrote to memory of 1964	1220	yiCrfu.exe	28
PID 1220 wrote to memory of 1964	1220	yiCrfu.exe	28
PID 1220 wrote to memory of 1964	1220	yiCrfu.exe	28
PID 1964 wrote to memory of 1684	1964	svchost.exe	29
PID 1964 wrote to memory of 1684	1964	svchost.exe	29
PID 1964 wrote to memory of 1684	1964	svchost.exe	29
PID 1964 wrote to memory of 1684	1964	svchost.exe	29
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1964 wrote to memory of 1020	1964	svchost.exe	30
PID 1684 wrote to memory of 1924	1684	1507.exe	32
PID 1684 wrote to memory of 1924	1684	1507.exe	32
PID 1684 wrote to memory of 1924	1684	1507.exe	32
PID 1684 wrote to memory of 1924	1684	1507.exe	32
PID 1020 wrote to memory of 1852	1020	mqtxrr.exe	34
PID 1020 wrote to memory of 1852	1020	mqtxrr.exe	34
PID 1020 wrote to memory of 1852	1020	mqtxrr.exe	34
PID 1020 wrote to memory of 1852	1020	mqtxrr.exe	34
PID 1020 wrote to memory of 1724	1020	mqtxrr.exe	35
PID 1020 wrote to memory of 1724	1020	mqtxrr.exe	35
PID 1020 wrote to memory of 1724	1020	mqtxrr.exe	35
PID 1020 wrote to memory of 1724	1020	mqtxrr.exe	35
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1964 wrote to memory of 1508	1964	svchost.exe	37
PID 1508 wrote to memory of 1128	1508	liloo.exe	14
PID 1508 wrote to memory of 1128	1508	liloo.exe	14
PID 1508 wrote to memory of 1128	1508	liloo.exe	14
PID 1508 wrote to memory of 1128	1508	liloo.exe	14
PID 1508 wrote to memory of 1128	1508	liloo.exe	14
PID 1508 wrote to memory of 1184	1508	liloo.exe	13
PID 1508 wrote to memory of 1184	1508	liloo.exe	13
PID 1508 wrote to memory of 1184	1508	liloo.exe	13
PID 1508 wrote to memory of 1184	1508	liloo.exe	13
PID 1508 wrote to memory of 1184	1508	liloo.exe	13
PID 1508 wrote to memory of 1212	1508	liloo.exe	12
PID 1508 wrote to memory of 1212	1508	liloo.exe	12
PID 1508 wrote to memory of 1212	1508	liloo.exe	12
PID 1508 wrote to memory of 1212	1508	liloo.exe	12
PID 1508 wrote to memory of 1212	1508	liloo.exe	12
PID 1508 wrote to memory of 1964	1508	liloo.exe	28
PID 1508 wrote to memory of 1964	1508	liloo.exe	28
PID 1508 wrote to memory of 1964	1508	liloo.exe	28

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1507.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\114.exe
  "C:\Users\Admin\AppData\Local\Temp\114.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe" "mQtXRR"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Users\Admin\AppData\Roaming\1507.exe
        
        "C:\Users\Admin\AppData\Roaming\1507.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        outlook_win_path
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7088248.bat" "C:\Users\Admin\AppData\Roaming\1507.exe" "
        6⤵
        
        PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\mqtxrr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mqtxrr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe
        
        "C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1beba39f.bat"
        6⤵
        
        PID:1724
    - - C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe
        
        "C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1508
    - - C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe
        
        "C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe"
        5⤵
        Executes dropped EXE
        
        PID:1500

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:664

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7088248.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\axMDDO.txt

Filesize
624KB

MD5
2b0448e32c7c95d988621668c12f9e96

SHA1
290109364637c40ddd59b6a2081bbbaff1550d90

SHA256
be8b0fd414c1f598d4d29f56eaf0e8728935886b39309409510c77379549951d

SHA512
062975a3ab0aff30fe97ca0d977ae27192edae70c5bbf4af1e0965cc2fc9eabb443b4531d0a6f93032c85de37c35a204fa9a2a8e0534d404b5703e8e90d1f960

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mQtXRR

Filesize
5KB

MD5
cff1b9c7ffd3ba5e74f28138c0645ce8

SHA1
c9521d677e6b3a89d2e16ef1603c76c9111a7a33

SHA256
cf0cac28051e5fc7c45e1a1512abb2ea757bc3b0a16be033de2ddd66f05d7d64

SHA512
06adcfa4671c1a7a49c556d999f0b70be02f19cb01d87cc73ebceda2c3d749268e7b9533e655d73b623043476409ef814435002e44981adb1be92cd6d5e474d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nfeiok.exe

Filesize
102KB

MD5
2acbda61d4267a5765695f12d090adfc

SHA1
c8f3388972ce8f759bb5e1102bf5ecf55a257b0c

SHA256
c54604d59b9ac39c092c282871ad3e3693b188208e379eabc5919902982800ce

SHA512
ea4067bc8fa1ff5ce6e5e2363217626bddfc8072fa0563ca2d679a4ca78c0c7509fa53c611604935976bfb2bfc44ff0b0370fb195364d622e494311fa03da160

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.txt

Filesize
44B

MD5
0c60bcd59c842fe0f0a6f8ebc398bb8f

SHA1
85f0a0b7ed6de60caea6d6ad70a99707bc238fe8

SHA256
8e0aa16b9dafad4739b84903ae412b5bea6f609d10271357608deaf3453c1732

SHA512
5b9c6081df5aa458713efe9b5d313297ef3bf00924c5249375570dc3a925fb7d87206db440d29af44ce5001e02df8ba4cf01320c1e4ff352870670768859ede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqtxrr.exe

Filesize
21KB

MD5
0c5ad6132af88310b78a1cc7a2b064f0

SHA1
6b31e1340d13fe5d2269ae30d4fd207acaa8b8f5

SHA256
1709f78c047c377fb3f31ce4eedf20ba7eef80cb49bce72eaa516e14e39a0de9

SHA512
c2cc3042ab60c07e7cdff88d60299948783a5d9dba253bf843fd88d6fe280a1999d1f25b1d6e69e81cf247ca78c87e690fb53b8fe45bb4f4f7b3c403205a26d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqtxrr.exe

Filesize
21KB

MD5
0c5ad6132af88310b78a1cc7a2b064f0

SHA1
6b31e1340d13fe5d2269ae30d4fd207acaa8b8f5

SHA256
1709f78c047c377fb3f31ce4eedf20ba7eef80cb49bce72eaa516e14e39a0de9

SHA512
c2cc3042ab60c07e7cdff88d60299948783a5d9dba253bf843fd88d6fe280a1999d1f25b1d6e69e81cf247ca78c87e690fb53b8fe45bb4f4f7b3c403205a26d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1beba39f.bat

Filesize
191B

MD5
6df4fdcc82cf03a090cdb5372c89b73d

SHA1
98cd89fba2c52202663da1035b59a330755141f7

SHA256
c4d1e2b9544c77b662cd2c79055ef743a86989bf470d6ea725365427933ff63e

SHA512
9b494a9a899ab441faef3ee9bfc8ee133be94b016f45f16a6b62dce76667667ac5eecca557fda98a7efd101ce4f80ba66082ccc275a953092c71d52c6aa2bcf3

Download Submit
C:\Users\Admin\AppData\Roaming\1507.exe

Filesize
34KB

MD5
082e80a5ab80bf298982830cec80c543

SHA1
4b870d1a37adf10b87774668143b7e757a1aba85

SHA256
1d4a0ed15917adbd10f3e11b776fbc2dca4ace600ecb912471c9e6fd066ec2e1

SHA512
59ffb70275592ecabaa9e371704929f9866e2849a0b631f1fc91a27afe9235b5549a7085373f0603de8376df94fae064951882bafcf0db15b01e58d8a6423fb7

Download Submit
C:\Users\Admin\AppData\Roaming\1507.exe

Filesize
34KB

MD5
082e80a5ab80bf298982830cec80c543

SHA1
4b870d1a37adf10b87774668143b7e757a1aba85

SHA256
1d4a0ed15917adbd10f3e11b776fbc2dca4ace600ecb912471c9e6fd066ec2e1

SHA512
59ffb70275592ecabaa9e371704929f9866e2849a0b631f1fc91a27afe9235b5549a7085373f0603de8376df94fae064951882bafcf0db15b01e58d8a6423fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
C:\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
C:\Users\Admin\AppData\Roaming\Oguwu\keiqo.qee

Filesize
4KB

MD5
bc1d6dfc0fb0f366514cee1a7d3debc3

SHA1
b3597a8f9d8fd0ef81cd133682930cc77b06974a

SHA256
fc4c785c16b44c6ab3e22b8a17ecac86e97b8fd5c4116658232074a42d9c3611

SHA512
20a36e18326d16d01b0676073977145486e7e9dbcc4d612bd046e1003442907cb468407907eed1be6f794c17ef94c5036d57563356a467cd845c09db5f4e745f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\yiCrfu.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit
\Users\Admin\AppData\Local\Temp\mqtxrr.exe

Filesize
21KB

MD5
0c5ad6132af88310b78a1cc7a2b064f0

SHA1
6b31e1340d13fe5d2269ae30d4fd207acaa8b8f5

SHA256
1709f78c047c377fb3f31ce4eedf20ba7eef80cb49bce72eaa516e14e39a0de9

SHA512
c2cc3042ab60c07e7cdff88d60299948783a5d9dba253bf843fd88d6fe280a1999d1f25b1d6e69e81cf247ca78c87e690fb53b8fe45bb4f4f7b3c403205a26d5

Download Submit
\Users\Admin\AppData\Local\Temp\mqtxrr.exe

Filesize
21KB

MD5
0c5ad6132af88310b78a1cc7a2b064f0

SHA1
6b31e1340d13fe5d2269ae30d4fd207acaa8b8f5

SHA256
1709f78c047c377fb3f31ce4eedf20ba7eef80cb49bce72eaa516e14e39a0de9

SHA512
c2cc3042ab60c07e7cdff88d60299948783a5d9dba253bf843fd88d6fe280a1999d1f25b1d6e69e81cf247ca78c87e690fb53b8fe45bb4f4f7b3c403205a26d5

Download Submit
\Users\Admin\AppData\Roaming\1507.exe

Filesize
34KB

MD5
082e80a5ab80bf298982830cec80c543

SHA1
4b870d1a37adf10b87774668143b7e757a1aba85

SHA256
1d4a0ed15917adbd10f3e11b776fbc2dca4ace600ecb912471c9e6fd066ec2e1

SHA512
59ffb70275592ecabaa9e371704929f9866e2849a0b631f1fc91a27afe9235b5549a7085373f0603de8376df94fae064951882bafcf0db15b01e58d8a6423fb7

Download Submit
\Users\Admin\AppData\Roaming\1507.exe

Filesize
34KB

MD5
082e80a5ab80bf298982830cec80c543

SHA1
4b870d1a37adf10b87774668143b7e757a1aba85

SHA256
1d4a0ed15917adbd10f3e11b776fbc2dca4ace600ecb912471c9e6fd066ec2e1

SHA512
59ffb70275592ecabaa9e371704929f9866e2849a0b631f1fc91a27afe9235b5549a7085373f0603de8376df94fae064951882bafcf0db15b01e58d8a6423fb7

Download Submit
\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
\Users\Admin\AppData\Roaming\Nitaz\liloo.exe

Filesize
21KB

MD5
520f2c2f777e69c41e5552e80875e25c

SHA1
dfe5d01404349553ad95aede71c3852cf5be5c2b

SHA256
d2fed62bc3de2cf285284f18960351d268af03a5204daa3d5153877918007031

SHA512
6a838aafc93dbb1d81b70b3426d6176b1255497d12e9878688db74963cae8f8cbd9204645a4182c2d201130d243347e1fbdda422091ef8744c02cfb0f864a065

Download Submit
memory/760-160-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/760-153-0x000007FEF6051000-0x000007FEF6053000-memory.dmp

Filesize
8KB

Download
memory/760-152-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/760-154-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1020-84-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-83-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-86-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1020-110-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1128-130-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1128-131-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1128-128-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1128-129-0x0000000001C60000-0x0000000001C9B000-memory.dmp

Filesize
236KB

Download
memory/1184-138-0x0000000001BF0000-0x0000000001C2B000-memory.dmp

Filesize
236KB

Download
memory/1184-137-0x0000000001BF0000-0x0000000001C2B000-memory.dmp

Filesize
236KB

Download
memory/1184-136-0x0000000001BF0000-0x0000000001C2B000-memory.dmp

Filesize
236KB

Download
memory/1184-135-0x0000000001BF0000-0x0000000001C2B000-memory.dmp

Filesize
236KB

Download
memory/1212-144-0x0000000002B70000-0x0000000002BAB000-memory.dmp

Filesize
236KB

Download
memory/1212-143-0x0000000002B70000-0x0000000002BAB000-memory.dmp

Filesize
236KB

Download
memory/1212-142-0x0000000002B70000-0x0000000002BAB000-memory.dmp

Filesize
236KB

Download
memory/1212-141-0x0000000002B70000-0x0000000002BAB000-memory.dmp

Filesize
236KB

Download
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1500-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1508-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1508-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1684-97-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1684-100-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1964-67-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1964-149-0x0000000001F80000-0x0000000001FBB000-memory.dmp

Filesize
236KB

Download
memory/1964-70-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1964-72-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1964-63-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1964-66-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1964-166-0x0000000001F80000-0x0000000001F85000-memory.dmp

Filesize
20KB

Download
memory/1964-148-0x0000000001F80000-0x0000000001FBB000-memory.dmp

Filesize
236KB

Download
memory/1964-95-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/1964-151-0x0000000001F80000-0x0000000001FBB000-memory.dmp

Filesize
236KB

Download
memory/1964-147-0x0000000001F80000-0x0000000001FBB000-memory.dmp

Filesize
236KB

Download
memory/1964-64-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1964-150-0x0000000001F80000-0x0000000001FBB000-memory.dmp

Filesize
236KB

Download
memory/1964-189-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1964-190-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/1964-191-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/1964-96-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download