pony | 6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Size

864KB
MD5

03dfaa7b38468e7f418e1edac766946f
SHA1

dceb6bc8494dd6f00295ed13c225b3e3fb6c7825
SHA256

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2
SHA512

2cd067ec38591c97b0c09c4a1f31450cc0f9c2ad3b68c351cd65e7feefbe0bf19e00703c8e47d50b2fd77a421938ba47dc75abf82531145779c95dd652f81139
SSDEEP

24576:8Bg3gm8984uZ+KUHRP8NXWFa5s9e0SOrJsxc:skk89uRPJFa50SO+c

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://www.bringbackudo.in/wordpress/AA/PP/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 6 IoCs

Processes:

Pony.exebot.exesoft.exeyryd.exeWindows.exevecu.exe

pid process

656 Pony.exe
1732 bot.exe
1756 soft.exe
1632 yryd.exe
1240 Windows.exe
1904 vecu.exe

pid	process
656	Pony.exe
1732	bot.exe
1756	soft.exe
1632	yryd.exe
1240	Windows.exe
1904	vecu.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Pony.exe	upx
\Users\Admin\AppData\Roaming\Pony.exe	upx
C:\Users\Admin\AppData\Roaming\Pony.exe	upx
behavioral1/memory/656-77-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1940-111-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1940-114-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1940-117-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1940-120-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1940-122-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1940-128-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1940-138-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/656-141-0x0000000000400000-0x000000000041D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Pony.exe	upx

Loads dropped DLL 15 IoCs

Processes:

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exebot.exesoft.exevecu.exe

pid	process
2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
1732	bot.exe
1732	bot.exe
2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
1756	soft.exe
1756	soft.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exePony.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Pony.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exePony.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vecu.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	vecu.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	vecu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ezqelyat = "C:\\Users\\Admin\\AppData\\Roaming\\Egduk\\vecu.exe"	vecu.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

Windows.exebot.exesoft.exe

description	pid	process	target process
PID 1240 set thread context of 1940	1240	Windows.exe	svchost.exe
PID 1732 set thread context of 1912	1732	bot.exe	cmd.exe
PID 1732 set thread context of 1912	1732	bot.exe	cmd.exe
PID 1756 set thread context of 764	1756	soft.exe	cmd.exe
PID 1756 set thread context of 764	1756	soft.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

852 schtasks.exe

pid	process
852	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

bot.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	bot.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bot.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0C78235D-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

yryd.exevecu.exe

pid	process
1632	yryd.exe
1632	yryd.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe
1904	vecu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bot.exePony.exesoft.exesvchost.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1732	bot.exe
Token: SeImpersonatePrivilege	656	Pony.exe
Token: SeTcbPrivilege	656	Pony.exe
Token: SeChangeNotifyPrivilege	656	Pony.exe
Token: SeCreateTokenPrivilege	656	Pony.exe
Token: SeBackupPrivilege	656	Pony.exe
Token: SeRestorePrivilege	656	Pony.exe
Token: SeIncreaseQuotaPrivilege	656	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	656	Pony.exe
Token: SeSecurityPrivilege	1756	soft.exe
Token: SeSecurityPrivilege	1756	soft.exe
Token: SeImpersonatePrivilege	1940	svchost.exe
Token: SeTcbPrivilege	1940	svchost.exe
Token: SeChangeNotifyPrivilege	1940	svchost.exe
Token: SeCreateTokenPrivilege	1940	svchost.exe
Token: SeBackupPrivilege	1940	svchost.exe
Token: SeRestorePrivilege	1940	svchost.exe
Token: SeIncreaseQuotaPrivilege	1940	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1940	svchost.exe
Token: SeManageVolumePrivilege	1212	WinMail.exe
Token: SeImpersonatePrivilege	1940	svchost.exe
Token: SeTcbPrivilege	1940	svchost.exe
Token: SeChangeNotifyPrivilege	1940	svchost.exe
Token: SeCreateTokenPrivilege	1940	svchost.exe
Token: SeBackupPrivilege	1940	svchost.exe
Token: SeRestorePrivilege	1940	svchost.exe
Token: SeIncreaseQuotaPrivilege	1940	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1940	svchost.exe
Token: SeImpersonatePrivilege	1940	svchost.exe
Token: SeTcbPrivilege	1940	svchost.exe
Token: SeChangeNotifyPrivilege	1940	svchost.exe
Token: SeCreateTokenPrivilege	1940	svchost.exe
Token: SeBackupPrivilege	1940	svchost.exe
Token: SeRestorePrivilege	1940	svchost.exe
Token: SeIncreaseQuotaPrivilege	1940	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1940	svchost.exe
Token: SeImpersonatePrivilege	1940	svchost.exe
Token: SeTcbPrivilege	1940	svchost.exe
Token: SeChangeNotifyPrivilege	1940	svchost.exe
Token: SeCreateTokenPrivilege	1940	svchost.exe
Token: SeBackupPrivilege	1940	svchost.exe
Token: SeRestorePrivilege	1940	svchost.exe
Token: SeIncreaseQuotaPrivilege	1940	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1940	svchost.exe
Token: SeImpersonatePrivilege	656	Pony.exe
Token: SeTcbPrivilege	656	Pony.exe
Token: SeChangeNotifyPrivilege	656	Pony.exe
Token: SeCreateTokenPrivilege	656	Pony.exe
Token: SeBackupPrivilege	656	Pony.exe
Token: SeRestorePrivilege	656	Pony.exe
Token: SeIncreaseQuotaPrivilege	656	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	656	Pony.exe
Token: SeImpersonatePrivilege	656	Pony.exe
Token: SeTcbPrivilege	656	Pony.exe
Token: SeChangeNotifyPrivilege	656	Pony.exe
Token: SeCreateTokenPrivilege	656	Pony.exe
Token: SeBackupPrivilege	656	Pony.exe
Token: SeRestorePrivilege	656	Pony.exe
Token: SeIncreaseQuotaPrivilege	656	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	656	Pony.exe
Token: SeImpersonatePrivilege	656	Pony.exe
Token: SeTcbPrivilege	656	Pony.exe
Token: SeChangeNotifyPrivilege	656	Pony.exe
Token: SeCreateTokenPrivilege	656	Pony.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

1212 WinMail.exe
1464 WinMail.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

1212 WinMail.exe
1464 WinMail.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WinMail.exeWinMail.exe

pid process

1212 WinMail.exe
1464 WinMail.exe

pid	process
1212	WinMail.exe
1464	WinMail.exe

pid	process
1212	WinMail.exe
1464	WinMail.exe

pid	process
1212	WinMail.exe
1464	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exebot.exeyryd.exeexplorer.exeWindows.exesvchost.exePony.exesoft.exevecu.exe

description	pid	process	target process
PID 2032 wrote to memory of 656	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Pony.exe
PID 2032 wrote to memory of 656	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Pony.exe
PID 2032 wrote to memory of 656	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Pony.exe
PID 2032 wrote to memory of 656	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Pony.exe
PID 2032 wrote to memory of 1732	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	bot.exe
PID 2032 wrote to memory of 1732	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	bot.exe
PID 2032 wrote to memory of 1732	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	bot.exe
PID 2032 wrote to memory of 1732	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	bot.exe
PID 2032 wrote to memory of 1756	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	soft.exe
PID 2032 wrote to memory of 1756	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	soft.exe
PID 2032 wrote to memory of 1756	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	soft.exe
PID 2032 wrote to memory of 1756	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	soft.exe
PID 1732 wrote to memory of 1632	1732	bot.exe	yryd.exe
PID 1732 wrote to memory of 1632	1732	bot.exe	yryd.exe
PID 1732 wrote to memory of 1632	1732	bot.exe	yryd.exe
PID 1732 wrote to memory of 1632	1732	bot.exe	yryd.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 2032 wrote to memory of 1240	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Windows.exe
PID 2032 wrote to memory of 1240	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Windows.exe
PID 2032 wrote to memory of 1240	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Windows.exe
PID 2032 wrote to memory of 1240	2032	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Windows.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1632 wrote to memory of 1488	1632	yryd.exe	explorer.exe
PID 1488 wrote to memory of 1368	1488	explorer.exe	Explorer.EXE
PID 1488 wrote to memory of 1368	1488	explorer.exe	Explorer.EXE
PID 1240 wrote to memory of 852	1240	Windows.exe	schtasks.exe
PID 1240 wrote to memory of 852	1240	Windows.exe	schtasks.exe
PID 1240 wrote to memory of 852	1240	Windows.exe	schtasks.exe
PID 1240 wrote to memory of 852	1240	Windows.exe	schtasks.exe
PID 1488 wrote to memory of 1368	1488	explorer.exe	Explorer.EXE
PID 1240 wrote to memory of 1940	1240	Windows.exe	svchost.exe
PID 1240 wrote to memory of 1940	1240	Windows.exe	svchost.exe
PID 1240 wrote to memory of 1940	1240	Windows.exe	svchost.exe
PID 1240 wrote to memory of 1940	1240	Windows.exe	svchost.exe
PID 1240 wrote to memory of 1940	1240	Windows.exe	svchost.exe
PID 1240 wrote to memory of 1940	1240	Windows.exe	svchost.exe
PID 1240 wrote to memory of 1940	1240	Windows.exe	svchost.exe
PID 1240 wrote to memory of 1940	1240	Windows.exe	svchost.exe
PID 1940 wrote to memory of 1800	1940	svchost.exe	cmd.exe
PID 1940 wrote to memory of 1800	1940	svchost.exe	cmd.exe
PID 1940 wrote to memory of 1800	1940	svchost.exe	cmd.exe
PID 1940 wrote to memory of 1800	1940	svchost.exe	cmd.exe
PID 656 wrote to memory of 968	656	Pony.exe	cmd.exe
PID 656 wrote to memory of 968	656	Pony.exe	cmd.exe
PID 656 wrote to memory of 968	656	Pony.exe	cmd.exe
PID 656 wrote to memory of 968	656	Pony.exe	cmd.exe
PID 1632 wrote to memory of 1732	1632	yryd.exe	bot.exe
PID 1632 wrote to memory of 1732	1632	yryd.exe	bot.exe
PID 1632 wrote to memory of 1732	1632	yryd.exe	bot.exe
PID 1632 wrote to memory of 1732	1632	yryd.exe	bot.exe
PID 1632 wrote to memory of 1732	1632	yryd.exe	bot.exe
PID 1632 wrote to memory of 1732	1632	yryd.exe	bot.exe
PID 1756 wrote to memory of 1904	1756	soft.exe	vecu.exe
PID 1756 wrote to memory of 1904	1756	soft.exe	vecu.exe
PID 1756 wrote to memory of 1904	1756	soft.exe	vecu.exe
PID 1756 wrote to memory of 1904	1756	soft.exe	vecu.exe
PID 1904 wrote to memory of 1244	1904	vecu.exe	taskhost.exe

outlook_win_path 1 IoCs

Processes:

Pony.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
"C:\Users\Admin\AppData\Local\Temp\6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Roaming\Pony.exe
"C:\Users\Admin\AppData\Roaming\Pony.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7100947.bat" "C:\Users\Admin\AppData\Roaming\Pony.exe" "
4⤵
PID:968

C:\Users\Admin\AppData\Roaming\bot.exe
"C:\Users\Admin\AppData\Roaming\bot.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\Cuduv\yryd.exe
"C:\Users\Admin\AppData\Roaming\Cuduv\yryd.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5f52ee36.bat"
4⤵
PID:1912

C:\Users\Admin\AppData\Roaming\soft.exe
"C:\Users\Admin\AppData\Roaming\soft.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\Egduk\vecu.exe
"C:\Users\Admin\AppData\Roaming\Egduk\vecu.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp224ab191.bat"
4⤵
PID:764

C:\Users\Admin\AppData\Roaming\Windows.exe
"C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\1096555839.xml"
4⤵
- Creates scheduled task(s)
PID:852

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7098669.bat" "C:\Windows\SysWOW64\svchost.exe" "
5⤵
PID:1800

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:900

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26AD01F9C002FAD37427E734302383D8_E1DF8F31180BEED965CA2CD894B8B7B4
Filesize
471B

MD5
08ca98724eee06a5b56542369ada6176

SHA1
7ac31fae825fab660cea1e0105e7011e24956afa

SHA256
bd88e174b19ec08daf00a1be2733b55ae5fc52487b2f3cd0fbbc688e1916218c

SHA512
94847c1dabb38564d954ca355a004c9473837527115ca72c27eaae06442481090b29fda66775ac93a330b303a93f42cb1537e1d18d9ebde84aaf257414339fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
Filesize
558B

MD5
3cc0012f96f8f44164c18d7de05023d9

SHA1
c8feb560d751fe720c8bdb53f5e78aa92abb9a9e

SHA256
2654c273c211ae1afc60a7736153a853142e3db028417206948576d1d57bf5d5

SHA512
626746176663e2460b18f1eb245306107060c172c4e65ad710dd75ec0b348d8f000342c0dd2f7ea3bb2e0796f61e1ddd2cd77c312d6a177ff2e70a10b68cc6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
Filesize
471B

MD5
388f9eae9d28d5b127ceb10902f99bbf

SHA1
d0f6410ab6be019ee04a57a3bd640ab5afc81970

SHA256
7755d85c641ef1a877fec51965b0b68e16e079a292ebd3403e86e412dc96aad7

SHA512
40c97a43e3ba2530af93f114a54daccd9ab02228ddd44079e8ecc213098b5a2b5098e51ea78b0e2c12e77ecb9783435ce48f25b84b908fbc78462a810a0f1f55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26AD01F9C002FAD37427E734302383D8_E1DF8F31180BEED965CA2CD894B8B7B4
Filesize
426B

MD5
9105e1cbf79d06c1922a814a2cff73ff

SHA1
d73e28372dfceb43f83a12f980f23575c74e4717

SHA256
02ccfbed0ec5193b89e256ba84f4114d565035a1f35c171d51b261044561eaa3

SHA512
052f8ef618f1bf62d5dcf6d8a1fa4d3d85e69d9f94e24057ea0e665b5ede86117a96bf780184aec4dd8a191339146e1f73775814a6cad033a9438b71c443463f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a8051a28e3fa6a4b31b1c5d2efbd82e0

SHA1
cad92915524a96da1475492aeea254544e601452

SHA256
091f08466cd11c76031fa227a79569d8e7b99efc2fe110ef3f588377b7b05083

SHA512
fecb782ce6e2327c597fa9ce5c19f1d12602ecf290b95009410f24dfc652cf158ede5023731ad35aebaf89b916d40af1fbcc32c43730450fdd1ad21eeedc606b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
Filesize
232B

MD5
83ee17adf8be483238343fe6dfc7fd8c

SHA1
1f98e9db85c40bc1d243781d803e9e222615923b

SHA256
22e7e0e00744fb5c23dee465043562001ad4fa2f7948793824fdf821a7466c1c

SHA512
fdf76e316d13f6b22544d68293ee83a55b59c628107f4b054f84a5db575394b1d94cea604a2ba9cfb6f6931d6497f62e31195b5f468322ab8102564199fb5afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
Filesize
408B

MD5
669afb7cc50985efaa63864893c9c4f1

SHA1
f3d51a1cbe6f7211a2d4b8c33b05c647bfec3d64

SHA256
af68b5817b9f8f5b8ef85b38f5cc7f7b91b710108ccddb55f2f1e7775f88b427

SHA512
77758ecba15d35b61fdd6a7663a54e63e5e11934d7c0c947f6979ebb250a1bbab07a138b0ce6fa53336b0407e1bb6310ec5eb726ff626a983747d4b28556ca6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
Filesize
2.0MB

MD5
5cededd01862f693b8fb21467ebbb933

SHA1
8350ed0814f983905356551f2076f25fcab63453

SHA256
d58c70c6a589af618033b38035843dc1cb43973c504c81ae7b5db2507c104707

SHA512
696b228b472dc58a3a56ba3555b72fcb6c85b541e7bbacfae0f5f8e1981f58b8de6b21f0ac097e2ff617eba03b0ca6a9527ef1f3aa3aa89ee8d2db4e6df46f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk
Filesize
8KB

MD5
63630515e870fdee6c07f8003b804de3

SHA1
8da9d3df78e1be912712a68647178c8b7523babd

SHA256
10e67a302578c7c83bf43dc119430bb8a2f284486c82608064770902be827a9d

SHA512
d0e0e99a241366e6dd0671a98d03e4633c45e59f4be6f29ec5d7ef51a38fe3546056ff02bb7ae15a989b31a8aac8abc06c674558d4b01993eb187fe2b3b9de7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
Filesize
2.0MB

MD5
95fd529eaad582d0a5b29f6ebf2de70b

SHA1
8d955e2a8fd61807cfc045a10b5e10948693536c

SHA256
fe7d0160c11db343390dac198503fccd27a7de2074f6543d744b3c9612fa0a73

SHA512
634add76ba5379a781679dc69c37b06bf38707d0c46f43c20a1686b70e1fc9b0220a4affcdb168b17787419c45881e872765a6b01e8cec87f86d21fa9fdf59cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1096555839.xml
Filesize
1KB

MD5
0ddf73e7e7190760e1e234425197411f

SHA1
bc5528997c53fde9b69b8588b11b4e6daa332e3a

SHA256
79726f4f8abd9815ddc3b61bdac4309fe3905c2deeea9157418fb8264622d24c

SHA512
89149d146c5192e0f61bfbcecb8b59b7a002c242fd4e007ce492c5569db1f1a3e40d6bde212d865eb5462866adcc1863e832251e133c7a376e466387a4eaeb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7098669.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7100947.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp224ab191.bat
Filesize
181B

MD5
e075dae6d67dcdfcf6cf2a785a3c5ded

SHA1
45ca8fc3d4dccb1b42f0697e6baa3c075978604d

SHA256
acbcea6c8ef11c7b0465d1d723b1df99380d1f206670fd90e315919b9aeb1cce

SHA512
e4104ff47c2f3ff55cdcff4b483b7f41db56479e13748096030da9516252670c38fe1f97abbea8887eb750e08ba81516269c8937c8c3bf5d141ea706abb61764

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5f52ee36.bat
Filesize
179B

MD5
b4f966dab2c705af6c8f54f7debee72e

SHA1
b3e88a5baf728f815903462acb94c686d9b8283d

SHA256
fb5c4aeed2583cea0df1268a61bbac198ce00294dccaed7ab32ff8810530a90a

SHA512
3db965c7318e7731fbd31c6937e459e55ef267ab5a25706f0374350cb38bb6be718a04089023f631bb199e11bd336770d9ec2c0077a4b39da6305155d1a46208

Download Submit
C:\Users\Admin\AppData\Roaming\Axosqa\askya.ati
Filesize
4KB

MD5
9b1379574e8db4a2fe3cd55e88a3b210

SHA1
5ca1632c5cb83b1a81bd85aa74fca04f0c9be916

SHA256
693adfcdf643b9add81a148517f0f95397aa54d67bd11fca59272e65a57435eb

SHA512
2612e86fb9bc7af823ac69e3165b27c973634ca29945ce8e6928aec95e93fc33ca3318dd943267c02cb73d95fa524e1dc4fc038967e453701140b114c39d98a8

Download Submit
C:\Users\Admin\AppData\Roaming\Cuduv\yryd.exe
Filesize
164KB

MD5
81553e327a20de6b8af9326650bced85

SHA1
e6f611c0195e22aa4246189160eecad901c9a6e3

SHA256
95925a965b3bec61e372a18a9b6eaab8fea454158132eea974701d8b8d39e7a6

SHA512
d87e88a926be93363e5f9881c91e98a423f9dad04dd822f518da79c20921bc0c80d9a992a7ebd0dd221588f4f1424f41aecc671a4ba1ea9207c6ce93359ee250

Download Submit
C:\Users\Admin\AppData\Roaming\Cuduv\yryd.exe
Filesize
164KB

MD5
81553e327a20de6b8af9326650bced85

SHA1
e6f611c0195e22aa4246189160eecad901c9a6e3

SHA256
95925a965b3bec61e372a18a9b6eaab8fea454158132eea974701d8b8d39e7a6

SHA512
d87e88a926be93363e5f9881c91e98a423f9dad04dd822f518da79c20921bc0c80d9a992a7ebd0dd221588f4f1424f41aecc671a4ba1ea9207c6ce93359ee250

Download Submit
C:\Users\Admin\AppData\Roaming\Egduk\vecu.exe
Filesize
221KB

MD5
3b9d1b2f4b14571a52610b4df4bc5f49

SHA1
19b62757282706a4bcd04c7fcd8356174d3131ee

SHA256
d2c47697cbae93b89a6c2392c39a080a1eb13b48ec5abe1cb2a353a8e4edd2a9

SHA512
2088878f57e50b95d1ab5b6a9f38076ff910a936305869aa55a33f78fc414173241a4cc66c5fe15279bee455d7e9db713764c713f0fa77eff4fa356da104381e

Download Submit
C:\Users\Admin\AppData\Roaming\Egduk\vecu.exe
Filesize
221KB

MD5
3b9d1b2f4b14571a52610b4df4bc5f49

SHA1
19b62757282706a4bcd04c7fcd8356174d3131ee

SHA256
d2c47697cbae93b89a6c2392c39a080a1eb13b48ec5abe1cb2a353a8e4edd2a9

SHA512
2088878f57e50b95d1ab5b6a9f38076ff910a936305869aa55a33f78fc414173241a4cc66c5fe15279bee455d7e9db713764c713f0fa77eff4fa356da104381e

Download Submit
C:\Users\Admin\AppData\Roaming\Pony.exe
Filesize
34KB

MD5
28a5d91f5b0fa1993b59309353be7b14

SHA1
a8d674d87696719dd9f0672a25c09d49edbfac7c

SHA256
5799df0883e09b9f9d22a44e3b20b8f649d4f70bed66a058b44160f68b676246

SHA512
ae6008067877fc20ed55e090bf419280ca3d809d2a06a5a87fafae9e1963a6362e8cd34a8ae83da952e1c080737404d20d00d63bb840f27e1554cec60676910e

Download Submit
C:\Users\Admin\AppData\Roaming\Pony.exe
Filesize
34KB

MD5
28a5d91f5b0fa1993b59309353be7b14

SHA1
a8d674d87696719dd9f0672a25c09d49edbfac7c

SHA256
5799df0883e09b9f9d22a44e3b20b8f649d4f70bed66a058b44160f68b676246

SHA512
ae6008067877fc20ed55e090bf419280ca3d809d2a06a5a87fafae9e1963a6362e8cd34a8ae83da952e1c080737404d20d00d63bb840f27e1554cec60676910e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe
Filesize
864KB

MD5
03dfaa7b38468e7f418e1edac766946f

SHA1
dceb6bc8494dd6f00295ed13c225b3e3fb6c7825

SHA256
6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2

SHA512
2cd067ec38591c97b0c09c4a1f31450cc0f9c2ad3b68c351cd65e7feefbe0bf19e00703c8e47d50b2fd77a421938ba47dc75abf82531145779c95dd652f81139

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe
Filesize
864KB

MD5
03dfaa7b38468e7f418e1edac766946f

SHA1
dceb6bc8494dd6f00295ed13c225b3e3fb6c7825

SHA256
6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2

SHA512
2cd067ec38591c97b0c09c4a1f31450cc0f9c2ad3b68c351cd65e7feefbe0bf19e00703c8e47d50b2fd77a421938ba47dc75abf82531145779c95dd652f81139

Download Submit
C:\Users\Admin\AppData\Roaming\bot.exe
Filesize
164KB

MD5
d2eea717949b8af196da910a3058fb99

SHA1
7c2b66990186e11dd884b12fdb1dc8cc2d85bb1f

SHA256
a0f8824af360b6bbaac704590c0a97c5f45658586844ef54c3a1cbdbcd29e369

SHA512
b84c5b0321ebf4504dc5063c2a3d400c3fc4de58f1dfdf48dab0834a73b72894041fdd59238e7a0e675999dceb7682ebf66a3fd9d3fdf164880c51b40efb521e

Download Submit
C:\Users\Admin\AppData\Roaming\bot.exe
Filesize
164KB

MD5
d2eea717949b8af196da910a3058fb99

SHA1
7c2b66990186e11dd884b12fdb1dc8cc2d85bb1f

SHA256
a0f8824af360b6bbaac704590c0a97c5f45658586844ef54c3a1cbdbcd29e369

SHA512
b84c5b0321ebf4504dc5063c2a3d400c3fc4de58f1dfdf48dab0834a73b72894041fdd59238e7a0e675999dceb7682ebf66a3fd9d3fdf164880c51b40efb521e

Download Submit
C:\Users\Admin\AppData\Roaming\soft.exe
Filesize
221KB

MD5
f6f570a5099aaea4d1577ba4cfb665d4

SHA1
644a297eb55d4497502042234250bb3f7d9f06c6

SHA256
7fc514907edfe602ada997bb604b686f429b8597275e915b3506c77fcf1ad5d7

SHA512
a1dbb76d05123067745f5657c4a4a3fa3e0431a9cedd81e4244b31b2ab230d277ef53f822fffb96e8e08d385eea20e656b2e6b4c461ce9ecea3545aa232d48f3

Download Submit
C:\Users\Admin\AppData\Roaming\soft.exe
Filesize
221KB

MD5
f6f570a5099aaea4d1577ba4cfb665d4

SHA1
644a297eb55d4497502042234250bb3f7d9f06c6

SHA256
7fc514907edfe602ada997bb604b686f429b8597275e915b3506c77fcf1ad5d7

SHA512
a1dbb76d05123067745f5657c4a4a3fa3e0431a9cedd81e4244b31b2ab230d277ef53f822fffb96e8e08d385eea20e656b2e6b4c461ce9ecea3545aa232d48f3

Download Submit
\Users\Admin\AppData\Roaming\Cuduv\yryd.exe
Filesize
164KB

MD5
81553e327a20de6b8af9326650bced85

SHA1
e6f611c0195e22aa4246189160eecad901c9a6e3

SHA256
95925a965b3bec61e372a18a9b6eaab8fea454158132eea974701d8b8d39e7a6

SHA512
d87e88a926be93363e5f9881c91e98a423f9dad04dd822f518da79c20921bc0c80d9a992a7ebd0dd221588f4f1424f41aecc671a4ba1ea9207c6ce93359ee250

Download Submit
\Users\Admin\AppData\Roaming\Cuduv\yryd.exe
Filesize
164KB

MD5
81553e327a20de6b8af9326650bced85

SHA1
e6f611c0195e22aa4246189160eecad901c9a6e3

SHA256
95925a965b3bec61e372a18a9b6eaab8fea454158132eea974701d8b8d39e7a6

SHA512
d87e88a926be93363e5f9881c91e98a423f9dad04dd822f518da79c20921bc0c80d9a992a7ebd0dd221588f4f1424f41aecc671a4ba1ea9207c6ce93359ee250

Download Submit
\Users\Admin\AppData\Roaming\Cuduv\yryd.exe
Filesize
164KB

MD5
81553e327a20de6b8af9326650bced85

SHA1
e6f611c0195e22aa4246189160eecad901c9a6e3

SHA256
95925a965b3bec61e372a18a9b6eaab8fea454158132eea974701d8b8d39e7a6

SHA512
d87e88a926be93363e5f9881c91e98a423f9dad04dd822f518da79c20921bc0c80d9a992a7ebd0dd221588f4f1424f41aecc671a4ba1ea9207c6ce93359ee250

Download Submit
\Users\Admin\AppData\Roaming\Egduk\vecu.exe
Filesize
221KB

MD5
3b9d1b2f4b14571a52610b4df4bc5f49

SHA1
19b62757282706a4bcd04c7fcd8356174d3131ee

SHA256
d2c47697cbae93b89a6c2392c39a080a1eb13b48ec5abe1cb2a353a8e4edd2a9

SHA512
2088878f57e50b95d1ab5b6a9f38076ff910a936305869aa55a33f78fc414173241a4cc66c5fe15279bee455d7e9db713764c713f0fa77eff4fa356da104381e

Download Submit
\Users\Admin\AppData\Roaming\Egduk\vecu.exe
Filesize
221KB

MD5
3b9d1b2f4b14571a52610b4df4bc5f49

SHA1
19b62757282706a4bcd04c7fcd8356174d3131ee

SHA256
d2c47697cbae93b89a6c2392c39a080a1eb13b48ec5abe1cb2a353a8e4edd2a9

SHA512
2088878f57e50b95d1ab5b6a9f38076ff910a936305869aa55a33f78fc414173241a4cc66c5fe15279bee455d7e9db713764c713f0fa77eff4fa356da104381e

Download Submit
\Users\Admin\AppData\Roaming\Pony.exe
Filesize
34KB

MD5
28a5d91f5b0fa1993b59309353be7b14

SHA1
a8d674d87696719dd9f0672a25c09d49edbfac7c

SHA256
5799df0883e09b9f9d22a44e3b20b8f649d4f70bed66a058b44160f68b676246

SHA512
ae6008067877fc20ed55e090bf419280ca3d809d2a06a5a87fafae9e1963a6362e8cd34a8ae83da952e1c080737404d20d00d63bb840f27e1554cec60676910e

Download Submit
\Users\Admin\AppData\Roaming\Pony.exe
Filesize
34KB

MD5
28a5d91f5b0fa1993b59309353be7b14

SHA1
a8d674d87696719dd9f0672a25c09d49edbfac7c

SHA256
5799df0883e09b9f9d22a44e3b20b8f649d4f70bed66a058b44160f68b676246

SHA512
ae6008067877fc20ed55e090bf419280ca3d809d2a06a5a87fafae9e1963a6362e8cd34a8ae83da952e1c080737404d20d00d63bb840f27e1554cec60676910e

Download Submit
\Users\Admin\AppData\Roaming\Windows.exe
Filesize
864KB

MD5
03dfaa7b38468e7f418e1edac766946f

SHA1
dceb6bc8494dd6f00295ed13c225b3e3fb6c7825

SHA256
6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2

SHA512
2cd067ec38591c97b0c09c4a1f31450cc0f9c2ad3b68c351cd65e7feefbe0bf19e00703c8e47d50b2fd77a421938ba47dc75abf82531145779c95dd652f81139

Download Submit
\Users\Admin\AppData\Roaming\Windows.exe
Filesize
864KB

MD5
03dfaa7b38468e7f418e1edac766946f

SHA1
dceb6bc8494dd6f00295ed13c225b3e3fb6c7825

SHA256
6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2

SHA512
2cd067ec38591c97b0c09c4a1f31450cc0f9c2ad3b68c351cd65e7feefbe0bf19e00703c8e47d50b2fd77a421938ba47dc75abf82531145779c95dd652f81139

Download Submit
\Users\Admin\AppData\Roaming\bot.exe
Filesize
164KB

MD5
d2eea717949b8af196da910a3058fb99

SHA1
7c2b66990186e11dd884b12fdb1dc8cc2d85bb1f

SHA256
a0f8824af360b6bbaac704590c0a97c5f45658586844ef54c3a1cbdbcd29e369

SHA512
b84c5b0321ebf4504dc5063c2a3d400c3fc4de58f1dfdf48dab0834a73b72894041fdd59238e7a0e675999dceb7682ebf66a3fd9d3fdf164880c51b40efb521e

Download Submit
\Users\Admin\AppData\Roaming\bot.exe
Filesize
164KB

MD5
d2eea717949b8af196da910a3058fb99

SHA1
7c2b66990186e11dd884b12fdb1dc8cc2d85bb1f

SHA256
a0f8824af360b6bbaac704590c0a97c5f45658586844ef54c3a1cbdbcd29e369

SHA512
b84c5b0321ebf4504dc5063c2a3d400c3fc4de58f1dfdf48dab0834a73b72894041fdd59238e7a0e675999dceb7682ebf66a3fd9d3fdf164880c51b40efb521e

Download Submit
\Users\Admin\AppData\Roaming\bot.exe
Filesize
164KB

MD5
d2eea717949b8af196da910a3058fb99

SHA1
7c2b66990186e11dd884b12fdb1dc8cc2d85bb1f

SHA256
a0f8824af360b6bbaac704590c0a97c5f45658586844ef54c3a1cbdbcd29e369

SHA512
b84c5b0321ebf4504dc5063c2a3d400c3fc4de58f1dfdf48dab0834a73b72894041fdd59238e7a0e675999dceb7682ebf66a3fd9d3fdf164880c51b40efb521e

Download Submit
\Users\Admin\AppData\Roaming\soft.exe
Filesize
221KB

MD5
f6f570a5099aaea4d1577ba4cfb665d4

SHA1
644a297eb55d4497502042234250bb3f7d9f06c6

SHA256
7fc514907edfe602ada997bb604b686f429b8597275e915b3506c77fcf1ad5d7

SHA512
a1dbb76d05123067745f5657c4a4a3fa3e0431a9cedd81e4244b31b2ab230d277ef53f822fffb96e8e08d385eea20e656b2e6b4c461ce9ecea3545aa232d48f3

Download Submit
\Users\Admin\AppData\Roaming\soft.exe
Filesize
221KB

MD5
f6f570a5099aaea4d1577ba4cfb665d4

SHA1
644a297eb55d4497502042234250bb3f7d9f06c6

SHA256
7fc514907edfe602ada997bb604b686f429b8597275e915b3506c77fcf1ad5d7

SHA512
a1dbb76d05123067745f5657c4a4a3fa3e0431a9cedd81e4244b31b2ab230d277ef53f822fffb96e8e08d385eea20e656b2e6b4c461ce9ecea3545aa232d48f3

Download Submit
\Users\Admin\AppData\Roaming\soft.exe
Filesize
221KB

MD5
f6f570a5099aaea4d1577ba4cfb665d4

SHA1
644a297eb55d4497502042234250bb3f7d9f06c6

SHA256
7fc514907edfe602ada997bb604b686f429b8597275e915b3506c77fcf1ad5d7

SHA512
a1dbb76d05123067745f5657c4a4a3fa3e0431a9cedd81e4244b31b2ab230d277ef53f822fffb96e8e08d385eea20e656b2e6b4c461ce9ecea3545aa232d48f3

Download Submit
memory/656-77-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/656-58-0x0000000000000000-mapping.dmp

Download
memory/656-141-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/764-795-0x00000000001F0000-0x000000000021E000-memory.dmp

Filesize
184KB

Download
memory/764-790-0x00000000001F58D0-mapping.dmp

Download
memory/852-106-0x0000000000000000-mapping.dmp

Download
memory/968-140-0x0000000000000000-mapping.dmp

Download
memory/1212-131-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/1212-109-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1212-115-0x000007FEF6BF1000-0x000007FEF6BF3000-memory.dmp

Filesize
8KB

Download
memory/1212-124-0x00000000020B0000-0x00000000020C0000-memory.dmp

Filesize
64KB

Download
memory/1240-104-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1240-121-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1240-84-0x0000000000000000-mapping.dmp

Download
memory/1244-157-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1244-159-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1244-161-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1244-162-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1244-160-0x0000000001E40000-0x0000000001E7B000-memory.dmp

Filesize
236KB

Download
memory/1332-165-0x0000000001C90000-0x0000000001CCB000-memory.dmp

Filesize
236KB

Download
memory/1332-166-0x0000000001C90000-0x0000000001CCB000-memory.dmp

Filesize
236KB

Download
memory/1332-167-0x0000000001C90000-0x0000000001CCB000-memory.dmp

Filesize
236KB

Download
memory/1332-168-0x0000000001C90000-0x0000000001CCB000-memory.dmp

Filesize
236KB

Download
memory/1368-171-0x0000000002BE0000-0x0000000002C1B000-memory.dmp

Filesize
236KB

Download
memory/1368-172-0x0000000002BE0000-0x0000000002C1B000-memory.dmp

Filesize
236KB

Download
memory/1488-96-0x0000000000000000-mapping.dmp

Download
memory/1488-92-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1488-105-0x00000000749C1000-0x00000000749C3000-memory.dmp

Filesize
8KB

Download
memory/1488-796-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/1488-90-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1488-94-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1488-93-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1488-329-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1488-108-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1488-85-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1488-95-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1488-541-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/1632-485-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/1632-75-0x0000000000000000-mapping.dmp

Download
memory/1732-521-0x0000000001EF0000-0x0000000001F2B000-memory.dmp

Filesize
236KB

Download
memory/1732-63-0x0000000000000000-mapping.dmp

Download
memory/1732-148-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1732-519-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1732-146-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1732-150-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1732-198-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1732-200-0x0000000001EF0000-0x0000000001F2B000-memory.dmp

Filesize
236KB

Download
memory/1732-149-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1756-791-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1756-792-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download
memory/1756-68-0x0000000000000000-mapping.dmp

Download
memory/1756-544-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/1756-340-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1800-137-0x0000000000000000-mapping.dmp

Download
memory/1904-153-0x0000000000000000-mapping.dmp

Download
memory/1912-538-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/1912-767-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/1912-515-0x0000000000099BF5-mapping.dmp

Download
memory/1940-111-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-122-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-114-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-117-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-128-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-110-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-120-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-119-0x000000000041AF50-mapping.dmp

Download
memory/2032-72-0x00000000049A0000-0x00000000049BD000-memory.dmp

Filesize
116KB

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-76-0x00000000049A0000-0x00000000049BD000-memory.dmp

Filesize
116KB

Download
memory/2032-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-91-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download