pony | 6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2

Analysis

max time kernel
215s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Size

864KB
MD5

03dfaa7b38468e7f418e1edac766946f
SHA1

dceb6bc8494dd6f00295ed13c225b3e3fb6c7825
SHA256

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2
SHA512

2cd067ec38591c97b0c09c4a1f31450cc0f9c2ad3b68c351cd65e7feefbe0bf19e00703c8e47d50b2fd77a421938ba47dc75abf82531145779c95dd652f81139
SSDEEP

24576:8Bg3gm8984uZ+KUHRP8NXWFa5s9e0SOrJsxc:skk89uRPJFa50SO+c

Score

10^/10

pony collection discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://www.bringbackudo.in/wordpress/AA/PP/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 6 IoCs

Processes:

Pony.exebot.exesoft.exeokyf.exeWindows.exehyzia.exe

pid process

4376 Pony.exe
1832 bot.exe
872 soft.exe
2976 okyf.exe
4784 Windows.exe
4160 hyzia.exe

pid	process
4376	Pony.exe
1832	bot.exe
872	soft.exe
2976	okyf.exe
4784	Windows.exe
4160	hyzia.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Pony.exe	upx
C:\Users\Admin\AppData\Roaming\Pony.exe	upx
behavioral2/memory/4376-137-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4376-170-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1936-188-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1936-189-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1936-190-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1936-197-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1936-196-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1936-202-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1936-209-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4376-214-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exeWindows.exePony.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Windows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Pony.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exePony.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Pony.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

Pony.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hyzia.exePony.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Alzayhx = "C:\\Users\\Admin\\AppData\\Roaming\\Peix\\hyzia.exe"	hyzia.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\Currentversion\Run	Pony.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\Currentversion\Run	hyzia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	hyzia.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 9 IoCs

Processes:

Windows.exebot.exesoft.exePony.exe

description	pid	process	target process
PID 4784 set thread context of 3152	4784	Windows.exe	svchost.exe
PID 1832 set thread context of 444	1832	bot.exe	cmd.exe
PID 4784 set thread context of 1992	4784	Windows.exe	svchost.exe
PID 4784 set thread context of 1936	4784	Windows.exe	svchost.exe
PID 4784 set thread context of 1936	4784	Windows.exe	svchost.exe
PID 872 set thread context of 4800	872	soft.exe	cmd.exe
PID 872 set thread context of 4800	872	soft.exe	cmd.exe
PID 4376 set thread context of 2052	4376	Pony.exe	cmd.exe
PID 4376 set thread context of 2052	4376	Pony.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5036 schtasks.exe

pid	process
5036	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Pony.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Privacy	Pony.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	Pony.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

hyzia.exeokyf.exe

pid	process
4160	hyzia.exe
4160	hyzia.exe
2976	okyf.exe
2976	okyf.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe
4160	hyzia.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bot.exesoft.exePony.exesvchost.exe

description	pid	process
Token: SeSecurityPrivilege	1832	bot.exe
Token: SeSecurityPrivilege	872	soft.exe
Token: SeSecurityPrivilege	872	soft.exe
Token: SeImpersonatePrivilege	4376	Pony.exe
Token: SeTcbPrivilege	4376	Pony.exe
Token: SeChangeNotifyPrivilege	4376	Pony.exe
Token: SeCreateTokenPrivilege	4376	Pony.exe
Token: SeBackupPrivilege	4376	Pony.exe
Token: SeRestorePrivilege	4376	Pony.exe
Token: SeIncreaseQuotaPrivilege	4376	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	4376	Pony.exe
Token: SeSecurityPrivilege	4376	Pony.exe
Token: SeSecurityPrivilege	4376	Pony.exe
Token: SeSecurityPrivilege	4376	Pony.exe
Token: SeSecurityPrivilege	4376	Pony.exe
Token: SeImpersonatePrivilege	1936	svchost.exe
Token: SeTcbPrivilege	1936	svchost.exe
Token: SeChangeNotifyPrivilege	1936	svchost.exe
Token: SeCreateTokenPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeIncreaseQuotaPrivilege	1936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	4376	Pony.exe
Token: SeSecurityPrivilege	4376	Pony.exe
Token: SeSecurityPrivilege	4376	Pony.exe
Token: SeImpersonatePrivilege	1936	svchost.exe
Token: SeTcbPrivilege	1936	svchost.exe
Token: SeChangeNotifyPrivilege	1936	svchost.exe
Token: SeCreateTokenPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeIncreaseQuotaPrivilege	1936	svchost.exe
Token: SeImpersonatePrivilege	4376	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	1936	svchost.exe
Token: SeTcbPrivilege	4376	Pony.exe
Token: SeChangeNotifyPrivilege	4376	Pony.exe
Token: SeCreateTokenPrivilege	4376	Pony.exe
Token: SeBackupPrivilege	4376	Pony.exe
Token: SeRestorePrivilege	4376	Pony.exe
Token: SeIncreaseQuotaPrivilege	4376	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	4376	Pony.exe
Token: SeImpersonatePrivilege	4376	Pony.exe
Token: SeTcbPrivilege	4376	Pony.exe
Token: SeChangeNotifyPrivilege	4376	Pony.exe
Token: SeCreateTokenPrivilege	4376	Pony.exe
Token: SeBackupPrivilege	4376	Pony.exe
Token: SeRestorePrivilege	4376	Pony.exe
Token: SeIncreaseQuotaPrivilege	4376	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	4376	Pony.exe
Token: SeImpersonatePrivilege	1936	svchost.exe
Token: SeTcbPrivilege	1936	svchost.exe
Token: SeChangeNotifyPrivilege	1936	svchost.exe
Token: SeCreateTokenPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeIncreaseQuotaPrivilege	1936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1936	svchost.exe
Token: SeImpersonatePrivilege	1936	svchost.exe
Token: SeTcbPrivilege	1936	svchost.exe
Token: SeChangeNotifyPrivilege	1936	svchost.exe
Token: SeCreateTokenPrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exebot.exeokyf.exesoft.exehyzia.exe

description	pid	process	target process
PID 1060 wrote to memory of 4376	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Pony.exe
PID 1060 wrote to memory of 4376	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Pony.exe
PID 1060 wrote to memory of 4376	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Pony.exe
PID 1060 wrote to memory of 1832	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	bot.exe
PID 1060 wrote to memory of 1832	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	bot.exe
PID 1060 wrote to memory of 1832	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	bot.exe
PID 1060 wrote to memory of 872	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	soft.exe
PID 1060 wrote to memory of 872	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	soft.exe
PID 1060 wrote to memory of 872	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	soft.exe
PID 1832 wrote to memory of 2976	1832	bot.exe	okyf.exe
PID 1832 wrote to memory of 2976	1832	bot.exe	okyf.exe
PID 1832 wrote to memory of 2976	1832	bot.exe	okyf.exe
PID 1060 wrote to memory of 4784	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Windows.exe
PID 1060 wrote to memory of 4784	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Windows.exe
PID 1060 wrote to memory of 4784	1060	6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe	Windows.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 2976 wrote to memory of 4752	2976	okyf.exe	explorer.exe
PID 872 wrote to memory of 4160	872	soft.exe	hyzia.exe
PID 872 wrote to memory of 4160	872	soft.exe	hyzia.exe
PID 872 wrote to memory of 4160	872	soft.exe	hyzia.exe
PID 4160 wrote to memory of 2448	4160	hyzia.exe	sihost.exe
PID 4160 wrote to memory of 2448	4160	hyzia.exe	sihost.exe
PID 4160 wrote to memory of 2448	4160	hyzia.exe	sihost.exe
PID 4160 wrote to memory of 2448	4160	hyzia.exe	sihost.exe
PID 4160 wrote to memory of 2448	4160	hyzia.exe	sihost.exe
PID 4160 wrote to memory of 2468	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 2468	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 2468	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 2468	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 2468	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 2780	4160	hyzia.exe	taskhostw.exe
PID 4160 wrote to memory of 2780	4160	hyzia.exe	taskhostw.exe
PID 4160 wrote to memory of 2780	4160	hyzia.exe	taskhostw.exe
PID 4160 wrote to memory of 2780	4160	hyzia.exe	taskhostw.exe
PID 4160 wrote to memory of 2780	4160	hyzia.exe	taskhostw.exe
PID 4160 wrote to memory of 964	4160	hyzia.exe	Explorer.EXE
PID 4160 wrote to memory of 964	4160	hyzia.exe	Explorer.EXE
PID 4160 wrote to memory of 964	4160	hyzia.exe	Explorer.EXE
PID 4160 wrote to memory of 964	4160	hyzia.exe	Explorer.EXE
PID 4160 wrote to memory of 964	4160	hyzia.exe	Explorer.EXE
PID 4160 wrote to memory of 424	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 424	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 424	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 424	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 424	4160	hyzia.exe	svchost.exe
PID 4160 wrote to memory of 3260	4160	hyzia.exe	DllHost.exe
PID 4160 wrote to memory of 3260	4160	hyzia.exe	DllHost.exe
PID 4160 wrote to memory of 3260	4160	hyzia.exe	DllHost.exe
PID 4160 wrote to memory of 3260	4160	hyzia.exe	DllHost.exe
PID 4160 wrote to memory of 3260	4160	hyzia.exe	DllHost.exe
PID 4160 wrote to memory of 3372	4160	hyzia.exe	StartMenuExperienceHost.exe
PID 4160 wrote to memory of 3372	4160	hyzia.exe	StartMenuExperienceHost.exe
PID 4160 wrote to memory of 3372	4160	hyzia.exe	StartMenuExperienceHost.exe
PID 4160 wrote to memory of 3372	4160	hyzia.exe	StartMenuExperienceHost.exe
PID 4160 wrote to memory of 3372	4160	hyzia.exe	StartMenuExperienceHost.exe
PID 4160 wrote to memory of 3452	4160	hyzia.exe	RuntimeBroker.exe
PID 4160 wrote to memory of 3452	4160	hyzia.exe	RuntimeBroker.exe

outlook_win_path 1 IoCs

Processes:

Pony.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Pony.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2448

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:432

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:2616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3532

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe
"C:\Users\Admin\AppData\Local\Temp\6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2.exe"
2⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Roaming\Pony.exe
"C:\Users\Admin\AppData\Roaming\Pony.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240748718.bat" "C:\Users\Admin\AppData\Roaming\Pony.exe" "
4⤵
PID:2052

C:\Users\Admin\AppData\Roaming\bot.exe
"C:\Users\Admin\AppData\Roaming\bot.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Roaming\Ysmuys\okyf.exe
"C:\Users\Admin\AppData\Roaming\Ysmuys\okyf.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
5⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp31a3889c.bat"
4⤵
PID:444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1708

C:\Users\Admin\AppData\Roaming\soft.exe
"C:\Users\Admin\AppData\Roaming\soft.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Roaming\Peix\hyzia.exe
"C:\Users\Admin\AppData\Roaming\Peix\hyzia.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc620a651.bat"
4⤵
PID:4800

C:\Users\Admin\AppData\Roaming\Windows.exe
"C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\433070167.xml"
4⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:3152

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:1992

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240748687.bat" "C:\Windows\SysWOW64\svchost.exe" "
5⤵
PID:1732

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2360

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26AD01F9C002FAD37427E734302383D8_E1DF8F31180BEED965CA2CD894B8B7B4
Filesize
471B

MD5
08ca98724eee06a5b56542369ada6176

SHA1
7ac31fae825fab660cea1e0105e7011e24956afa

SHA256
bd88e174b19ec08daf00a1be2733b55ae5fc52487b2f3cd0fbbc688e1916218c

SHA512
94847c1dabb38564d954ca355a004c9473837527115ca72c27eaae06442481090b29fda66775ac93a330b303a93f42cb1537e1d18d9ebde84aaf257414339fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
Filesize
471B

MD5
388f9eae9d28d5b127ceb10902f99bbf

SHA1
d0f6410ab6be019ee04a57a3bd640ab5afc81970

SHA256
7755d85c641ef1a877fec51965b0b68e16e079a292ebd3403e86e412dc96aad7

SHA512
40c97a43e3ba2530af93f114a54daccd9ab02228ddd44079e8ecc213098b5a2b5098e51ea78b0e2c12e77ecb9783435ce48f25b84b908fbc78462a810a0f1f55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26AD01F9C002FAD37427E734302383D8_E1DF8F31180BEED965CA2CD894B8B7B4
Filesize
396B

MD5
4536b91798dffe4834601366e87c20d3

SHA1
b168fb788c0a7db5cb8c00ab1e38bf8bb2f86bb6

SHA256
a19bd073d926a1d095e6cd9b93c8aa9f2dc104761766dea92d109df2a361adb1

SHA512
cfe7ded3fdb7b60bb5b3f5aa852572ebd5e719bbd6f37d9e594ca3d6544219ade73cba57f7a968f3d49f5ac6a85263d343dbce5e5fe77d44f5d659e2c8431d33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
Filesize
438B

MD5
c2c4ebdb92d8af85a44700a933cf2b45

SHA1
7061d400cf3faaf82f20f8a68ad3404c4839e628

SHA256
466a1e49b288281897084b333b0d37c695b6011e1cf2ff6e49a41f4a73400e29

SHA512
ca6a44439cd1f20b5e8ab27d6e9a88f091375adfe120185bfbecd608edadca51af76473d229ad36830bb84bf2f93a1d03d5ff2acddf525f14d88c52c2ea0fd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\240748687.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\433070167.xml
Filesize
1KB

MD5
45780025ac3fec92f4afba5674402f00

SHA1
f889188d2a2842d03df716229248baf38ffb4add

SHA256
1907cba4771fbe75e9f9bc9bb7318b3ee120ed9db587ebc0f7d299b0c1a02cc6

SHA512
870432f9c1a56d729688ca312df95ef8139823b497b1c6c489d95c9aa6cd018d52bbcf4a7036759433e94d0651b938cd6b57caa0ddae3eb1aec546af15e5415f

Download Submit
C:\Users\Admin\AppData\Roaming\Peix\hyzia.exe
Filesize
221KB

MD5
fb31b209042bbfd7d03241d86452cf12

SHA1
453ae4646a75fab7ed7ff80708e9f58514c745bb

SHA256
af40be5512ac786e068f9ba8716d79ee7c162440194d011f10fe177979479d18

SHA512
9317e4a30d6af6c5fa7b9d06c7caf71b131167552960393bd4e65c08da9db81a8ab9eab6cb560d6fda370a3b559b7059ace8fc05072bd3de6678ed9cb1ac4363

Download Submit
C:\Users\Admin\AppData\Roaming\Peix\hyzia.exe
Filesize
221KB

MD5
fb31b209042bbfd7d03241d86452cf12

SHA1
453ae4646a75fab7ed7ff80708e9f58514c745bb

SHA256
af40be5512ac786e068f9ba8716d79ee7c162440194d011f10fe177979479d18

SHA512
9317e4a30d6af6c5fa7b9d06c7caf71b131167552960393bd4e65c08da9db81a8ab9eab6cb560d6fda370a3b559b7059ace8fc05072bd3de6678ed9cb1ac4363

Download Submit
C:\Users\Admin\AppData\Roaming\Pony.exe
Filesize
34KB

MD5
28a5d91f5b0fa1993b59309353be7b14

SHA1
a8d674d87696719dd9f0672a25c09d49edbfac7c

SHA256
5799df0883e09b9f9d22a44e3b20b8f649d4f70bed66a058b44160f68b676246

SHA512
ae6008067877fc20ed55e090bf419280ca3d809d2a06a5a87fafae9e1963a6362e8cd34a8ae83da952e1c080737404d20d00d63bb840f27e1554cec60676910e

Download Submit
C:\Users\Admin\AppData\Roaming\Pony.exe
Filesize
34KB

MD5
28a5d91f5b0fa1993b59309353be7b14

SHA1
a8d674d87696719dd9f0672a25c09d49edbfac7c

SHA256
5799df0883e09b9f9d22a44e3b20b8f649d4f70bed66a058b44160f68b676246

SHA512
ae6008067877fc20ed55e090bf419280ca3d809d2a06a5a87fafae9e1963a6362e8cd34a8ae83da952e1c080737404d20d00d63bb840f27e1554cec60676910e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe
Filesize
864KB

MD5
03dfaa7b38468e7f418e1edac766946f

SHA1
dceb6bc8494dd6f00295ed13c225b3e3fb6c7825

SHA256
6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2

SHA512
2cd067ec38591c97b0c09c4a1f31450cc0f9c2ad3b68c351cd65e7feefbe0bf19e00703c8e47d50b2fd77a421938ba47dc75abf82531145779c95dd652f81139

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe
Filesize
864KB

MD5
03dfaa7b38468e7f418e1edac766946f

SHA1
dceb6bc8494dd6f00295ed13c225b3e3fb6c7825

SHA256
6e0f0c12da147dcca074e427dc4fcb2a29ee032d40a0e1d29128752c27baa4d2

SHA512
2cd067ec38591c97b0c09c4a1f31450cc0f9c2ad3b68c351cd65e7feefbe0bf19e00703c8e47d50b2fd77a421938ba47dc75abf82531145779c95dd652f81139

Download Submit
C:\Users\Admin\AppData\Roaming\Ysmuys\okyf.exe
Filesize
164KB

MD5
8bf2997e54e958d9c6bbb92c9223b339

SHA1
afa248b806dead5d4fb8ef65bb22deead471773a

SHA256
af2a532f7f6262587a361c8838bf19513bdf52ab9f8ea72e641682b862756484

SHA512
a935a7753431ee806796a14b39d259c69e41648820c4db5da8a8d4a9da3c1770b6fcc236826f0d8026c03cd13a0e64b8a985a5a96dd8004a7ac3688b152ef79a

Download Submit
C:\Users\Admin\AppData\Roaming\Ysmuys\okyf.exe
Filesize
164KB

MD5
8bf2997e54e958d9c6bbb92c9223b339

SHA1
afa248b806dead5d4fb8ef65bb22deead471773a

SHA256
af2a532f7f6262587a361c8838bf19513bdf52ab9f8ea72e641682b862756484

SHA512
a935a7753431ee806796a14b39d259c69e41648820c4db5da8a8d4a9da3c1770b6fcc236826f0d8026c03cd13a0e64b8a985a5a96dd8004a7ac3688b152ef79a

Download Submit
C:\Users\Admin\AppData\Roaming\Ytyf\rofiq.ici
Filesize
2KB

MD5
253726e44813f308298eb227c7934a12

SHA1
d643542df0efd095ff7ff37bdb4bf3de4fa4a856

SHA256
7923ebe74e5fc92758b14e08339c9428af83fc7aead1300189a00d724f2e5e06

SHA512
cdb78e74514fce6d53d17eddaa351de7e2172ffbc093ce807387e2ceddf3ea2c536920943e23e3866a5867a94b2d21187bbfb6fdac38147a36d9212174ed6821

Download Submit
C:\Users\Admin\AppData\Roaming\bot.exe
Filesize
164KB

MD5
d2eea717949b8af196da910a3058fb99

SHA1
7c2b66990186e11dd884b12fdb1dc8cc2d85bb1f

SHA256
a0f8824af360b6bbaac704590c0a97c5f45658586844ef54c3a1cbdbcd29e369

SHA512
b84c5b0321ebf4504dc5063c2a3d400c3fc4de58f1dfdf48dab0834a73b72894041fdd59238e7a0e675999dceb7682ebf66a3fd9d3fdf164880c51b40efb521e

Download Submit
C:\Users\Admin\AppData\Roaming\bot.exe
Filesize
164KB

MD5
d2eea717949b8af196da910a3058fb99

SHA1
7c2b66990186e11dd884b12fdb1dc8cc2d85bb1f

SHA256
a0f8824af360b6bbaac704590c0a97c5f45658586844ef54c3a1cbdbcd29e369

SHA512
b84c5b0321ebf4504dc5063c2a3d400c3fc4de58f1dfdf48dab0834a73b72894041fdd59238e7a0e675999dceb7682ebf66a3fd9d3fdf164880c51b40efb521e

Download Submit
C:\Users\Admin\AppData\Roaming\soft.exe
Filesize
221KB

MD5
f6f570a5099aaea4d1577ba4cfb665d4

SHA1
644a297eb55d4497502042234250bb3f7d9f06c6

SHA256
7fc514907edfe602ada997bb604b686f429b8597275e915b3506c77fcf1ad5d7

SHA512
a1dbb76d05123067745f5657c4a4a3fa3e0431a9cedd81e4244b31b2ab230d277ef53f822fffb96e8e08d385eea20e656b2e6b4c461ce9ecea3545aa232d48f3

Download Submit
C:\Users\Admin\AppData\Roaming\soft.exe
Filesize
221KB

MD5
f6f570a5099aaea4d1577ba4cfb665d4

SHA1
644a297eb55d4497502042234250bb3f7d9f06c6

SHA256
7fc514907edfe602ada997bb604b686f429b8597275e915b3506c77fcf1ad5d7

SHA512
a1dbb76d05123067745f5657c4a4a3fa3e0431a9cedd81e4244b31b2ab230d277ef53f822fffb96e8e08d385eea20e656b2e6b4c461ce9ecea3545aa232d48f3

Download Submit
memory/444-204-0x0000000001310000-0x000000000134B000-memory.dmp

Filesize
236KB

Download
memory/444-203-0x0000000001200000-0x000000000122E000-memory.dmp

Filesize
184KB

Download
memory/444-181-0x0000000001200000-0x000000000122E000-memory.dmp

Filesize
184KB

Download
memory/444-180-0x0000000000000000-mapping.dmp

Download
memory/872-141-0x0000000000000000-mapping.dmp

Download
memory/872-177-0x0000000000740000-0x000000000077B000-memory.dmp

Filesize
236KB

Download
memory/872-193-0x0000000000740000-0x000000000077B000-memory.dmp

Filesize
236KB

Download
memory/872-166-0x0000000000710000-0x000000000073E000-memory.dmp

Filesize
184KB

Download
memory/872-206-0x0000000000710000-0x000000000073E000-memory.dmp

Filesize
184KB

Download
memory/1060-133-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/1060-158-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/1060-132-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/1732-208-0x0000000000000000-mapping.dmp

Download
memory/1832-138-0x0000000000000000-mapping.dmp

Download
memory/1832-165-0x00000000005A0000-0x00000000005CE000-memory.dmp

Filesize
184KB

Download
memory/1832-182-0x00000000005A0000-0x00000000005CE000-memory.dmp

Filesize
184KB

Download
memory/1832-173-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/1832-175-0x00000000005A0000-0x00000000005CE000-memory.dmp

Filesize
184KB

Download
memory/1936-196-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1936-202-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1936-197-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1936-186-0x0000000000000000-mapping.dmp

Download
memory/1936-187-0x0000000000B70000-0x0000000000B9E000-memory.dmp

Filesize
184KB

Download
memory/1936-190-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1936-189-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1936-209-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1936-205-0x0000000003740000-0x000000000377B000-memory.dmp

Filesize
236KB

Download
memory/1936-188-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1992-183-0x0000000000000000-mapping.dmp

Download
memory/1992-184-0x0000000000440000-0x000000000046E000-memory.dmp

Filesize
184KB

Download
memory/2052-210-0x0000000000000000-mapping.dmp

Download
memory/2052-211-0x0000000000D10000-0x0000000000D4B000-memory.dmp

Filesize
236KB

Download
memory/2052-212-0x0000000000D50000-0x0000000000D7E000-memory.dmp

Filesize
184KB

Download
memory/2052-217-0x0000000000D50000-0x0000000000D7E000-memory.dmp

Filesize
184KB

Download
memory/2976-144-0x0000000000000000-mapping.dmp

Download
memory/3152-179-0x0000000000440000-0x000000000046E000-memory.dmp

Filesize
184KB

Download
memory/3152-178-0x0000000000000000-mapping.dmp

Download
memory/4160-151-0x0000000000000000-mapping.dmp

Download
memory/4160-168-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/4376-161-0x0000000000A60000-0x0000000000A9B000-memory.dmp

Filesize
236KB

Download
memory/4376-174-0x00000000023F0000-0x000000000241E000-memory.dmp

Filesize
184KB

Download
memory/4376-170-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4376-216-0x00000000023F0000-0x000000000241E000-memory.dmp

Filesize
184KB

Download
memory/4376-215-0x0000000000A60000-0x0000000000A9B000-memory.dmp

Filesize
236KB

Download
memory/4376-214-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4376-134-0x0000000000000000-mapping.dmp

Download
memory/4376-172-0x0000000000A60000-0x0000000000A9B000-memory.dmp

Filesize
236KB

Download
memory/4376-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4376-164-0x00000000023F0000-0x000000000241E000-memory.dmp

Filesize
184KB

Download
memory/4752-185-0x0000000000E30000-0x0000000000E6B000-memory.dmp

Filesize
236KB

Download
memory/4752-150-0x0000000000000000-mapping.dmp

Download
memory/4752-163-0x0000000000E00000-0x0000000000E2E000-memory.dmp

Filesize
184KB

Download
memory/4752-194-0x0000000000E30000-0x0000000000E6B000-memory.dmp

Filesize
236KB

Download
memory/4784-176-0x0000000005A40000-0x0000000005F0E000-memory.dmp

Filesize
4.8MB

Download
memory/4784-167-0x0000000005A40000-0x0000000005F0E000-memory.dmp

Filesize
4.8MB

Download
memory/4784-160-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4784-192-0x0000000006FF0000-0x000000000702B000-memory.dmp

Filesize
236KB

Download
memory/4784-147-0x0000000000000000-mapping.dmp

Download
memory/4784-195-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4784-171-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4800-207-0x0000000000600000-0x000000000063B000-memory.dmp

Filesize
236KB

Download
memory/4800-200-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/4800-198-0x0000000000000000-mapping.dmp

Download
memory/4800-201-0x0000000000600000-0x000000000063B000-memory.dmp

Filesize
236KB

Download
memory/5036-169-0x0000000000D60000-0x0000000000D8E000-memory.dmp

Filesize
184KB

Download
memory/5036-159-0x0000000000000000-mapping.dmp

Download