pony | 64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe
Size

684KB
MD5

f30b5469b217401922b630a70c0d6b25
SHA1

8c3f8b0dd9f522265ddebe063a0f03d8ffbd5c06
SHA256

64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a
SHA512

608c86e693c6ec756f3224eba7667fb66b2f78f116c4574647d3a490ee1c95b4fa23e1bf7529a5a8471bc966c909bb43d943cc32da61ce875899300cccf703c5
SSDEEP

12288:+rem0ZUDEB8K1GFvzGJ5AB53hzwGCa4IE7CEB8K1GFvzGJ5AB53hzwGCa4IE7H:0+UYebzGLABTzwDx7RebzGLABTzwDx7H

Score

10^/10

pony collection credential_access discovery persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

http://godhelpusthisyear.biz/wordpress/wp-admin/blacker/php/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 3 IoCs

pid	Process
2080	FB_ABF8.tmp.exe
2276	FB_AC66.tmp.exe
2912	imyxk.exe

Loads dropped DLL 6 IoCs

pid	Process
1816	iexplore.exe
1816	iexplore.exe
1816	iexplore.exe
1816	iexplore.exe
2080	FB_ABF8.tmp.exe
2080	FB_ABF8.tmp.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000192f0-13.dat	upx
behavioral1/memory/2276-20-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2276-452-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2276-484-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	FB_AC66.tmp.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_AC66.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{14A00B50-7ACA-2653-3F08-ADCFE5BCAEE8} = "C:\\Users\\Admin\\AppData\\Roaming\\Okefxi\\imyxk.exe"	imyxk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2080 set thread context of 2724	2080	FB_ABF8.tmp.exe	35
PID 2276 set thread context of 1652	2276	FB_AC66.tmp.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_ABF8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_AC66.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Privacy	FB_ABF8.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	FB_ABF8.tmp.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\16422F72-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe
2912	imyxk.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2080	FB_ABF8.tmp.exe
Token: SeImpersonatePrivilege	2276	FB_AC66.tmp.exe
Token: SeTcbPrivilege	2276	FB_AC66.tmp.exe
Token: SeChangeNotifyPrivilege	2276	FB_AC66.tmp.exe
Token: SeCreateTokenPrivilege	2276	FB_AC66.tmp.exe
Token: SeBackupPrivilege	2276	FB_AC66.tmp.exe
Token: SeRestorePrivilege	2276	FB_AC66.tmp.exe
Token: SeIncreaseQuotaPrivilege	2276	FB_AC66.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2276	FB_AC66.tmp.exe
Token: SeSecurityPrivilege	2080	FB_ABF8.tmp.exe
Token: SeSecurityPrivilege	2080	FB_ABF8.tmp.exe
Token: SeManageVolumePrivilege	2732	WinMail.exe
Token: SeImpersonatePrivilege	2276	FB_AC66.tmp.exe
Token: SeTcbPrivilege	2276	FB_AC66.tmp.exe
Token: SeChangeNotifyPrivilege	2276	FB_AC66.tmp.exe
Token: SeCreateTokenPrivilege	2276	FB_AC66.tmp.exe
Token: SeBackupPrivilege	2276	FB_AC66.tmp.exe
Token: SeRestorePrivilege	2276	FB_AC66.tmp.exe
Token: SeIncreaseQuotaPrivilege	2276	FB_AC66.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2276	FB_AC66.tmp.exe
Token: SeImpersonatePrivilege	2276	FB_AC66.tmp.exe
Token: SeTcbPrivilege	2276	FB_AC66.tmp.exe
Token: SeChangeNotifyPrivilege	2276	FB_AC66.tmp.exe
Token: SeCreateTokenPrivilege	2276	FB_AC66.tmp.exe
Token: SeBackupPrivilege	2276	FB_AC66.tmp.exe
Token: SeRestorePrivilege	2276	FB_AC66.tmp.exe
Token: SeIncreaseQuotaPrivilege	2276	FB_AC66.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2276	FB_AC66.tmp.exe
Token: SeImpersonatePrivilege	2276	FB_AC66.tmp.exe
Token: SeTcbPrivilege	2276	FB_AC66.tmp.exe
Token: SeChangeNotifyPrivilege	2276	FB_AC66.tmp.exe
Token: SeCreateTokenPrivilege	2276	FB_AC66.tmp.exe
Token: SeBackupPrivilege	2276	FB_AC66.tmp.exe
Token: SeRestorePrivilege	2276	FB_AC66.tmp.exe
Token: SeIncreaseQuotaPrivilege	2276	FB_AC66.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2276	FB_AC66.tmp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2732	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 2612 wrote to memory of 1816	2612	64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe	30
PID 1816 wrote to memory of 2080	1816	iexplore.exe	31
PID 1816 wrote to memory of 2080	1816	iexplore.exe	31
PID 1816 wrote to memory of 2080	1816	iexplore.exe	31
PID 1816 wrote to memory of 2080	1816	iexplore.exe	31
PID 1816 wrote to memory of 2276	1816	iexplore.exe	32
PID 1816 wrote to memory of 2276	1816	iexplore.exe	32
PID 1816 wrote to memory of 2276	1816	iexplore.exe	32
PID 1816 wrote to memory of 2276	1816	iexplore.exe	32
PID 2080 wrote to memory of 2912	2080	FB_ABF8.tmp.exe	33
PID 2080 wrote to memory of 2912	2080	FB_ABF8.tmp.exe	33
PID 2080 wrote to memory of 2912	2080	FB_ABF8.tmp.exe	33
PID 2080 wrote to memory of 2912	2080	FB_ABF8.tmp.exe	33
PID 2912 wrote to memory of 1108	2912	imyxk.exe	19
PID 2912 wrote to memory of 1108	2912	imyxk.exe	19
PID 2912 wrote to memory of 1108	2912	imyxk.exe	19
PID 2912 wrote to memory of 1108	2912	imyxk.exe	19
PID 2912 wrote to memory of 1108	2912	imyxk.exe	19
PID 2912 wrote to memory of 1172	2912	imyxk.exe	20
PID 2912 wrote to memory of 1172	2912	imyxk.exe	20
PID 2912 wrote to memory of 1172	2912	imyxk.exe	20
PID 2912 wrote to memory of 1172	2912	imyxk.exe	20
PID 2912 wrote to memory of 1172	2912	imyxk.exe	20
PID 2912 wrote to memory of 1208	2912	imyxk.exe	21
PID 2912 wrote to memory of 1208	2912	imyxk.exe	21
PID 2912 wrote to memory of 1208	2912	imyxk.exe	21
PID 2912 wrote to memory of 1208	2912	imyxk.exe	21
PID 2912 wrote to memory of 1208	2912	imyxk.exe	21
PID 2912 wrote to memory of 852	2912	imyxk.exe	25
PID 2912 wrote to memory of 852	2912	imyxk.exe	25
PID 2912 wrote to memory of 852	2912	imyxk.exe	25
PID 2912 wrote to memory of 852	2912	imyxk.exe	25
PID 2912 wrote to memory of 852	2912	imyxk.exe	25
PID 2912 wrote to memory of 2080	2912	imyxk.exe	31
PID 2912 wrote to memory of 2080	2912	imyxk.exe	31
PID 2912 wrote to memory of 2080	2912	imyxk.exe	31
PID 2912 wrote to memory of 2080	2912	imyxk.exe	31
PID 2912 wrote to memory of 2080	2912	imyxk.exe	31
PID 2912 wrote to memory of 2276	2912	imyxk.exe	32
PID 2912 wrote to memory of 2276	2912	imyxk.exe	32
PID 2912 wrote to memory of 2276	2912	imyxk.exe	32
PID 2912 wrote to memory of 2276	2912	imyxk.exe	32
PID 2912 wrote to memory of 2276	2912	imyxk.exe	32
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2080 wrote to memory of 2724	2080	FB_ABF8.tmp.exe	35
PID 2912 wrote to memory of 2968	2912	imyxk.exe	37
PID 2912 wrote to memory of 2968	2912	imyxk.exe	37
PID 2912 wrote to memory of 2968	2912	imyxk.exe	37

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_AC66.tmp.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe
  "C:\Users\Admin\AppData\Local\Temp\64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\FB_ABF8.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_ABF8.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Users\Admin\AppData\Roaming\Okefxi\imyxk.exe
        
        "C:\Users\Admin\AppData\Roaming\Okefxi\imyxk.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp136149ec.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\FB_AC66.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_AC66.tmp.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      outlook_win_path
      PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259451097.bat" "C:\Users\Admin\AppData\Local\Temp\FB_AC66.tmp.exe" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:852

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
6a5f5ff481c0195282bc40dba3bd209b

SHA1
4838ff8193060557cc7fea2df6e5acdf9ccccf56

SHA256
4c4011ef9e039a5de8ac1a5d6dc16c606cf6e913f4e73b0b047c35ec7b58a055

SHA512
45710c483ea7e8b3048b213735ab67923fbe65a71ea2ab37504c78ec69d0d6527a5c42890d20db69e56b4f8ddaec19fb6b23667ad2f9fa4c179c5dbfdd8833f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\259451097.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp136149ec.bat

Filesize
201B

MD5
c44777ea1004caf4a88b9f0ccb21654e

SHA1
4e6dd433af0ac685d76d4968b4386bc0280804ae

SHA256
3646a28c2980acb0d8b625d3d44a9891d32102ec8056ca021d94861a9075e3b4

SHA512
23f87eb85124b340ee2fd2ddd1d78812cb8a5079045deb1ce28e838effe6922fe186e3b90a63168ffd3c821c664043a7554e2e91c231f7977f8e1b57929c875e

Download Submit
C:\Users\Admin\AppData\Roaming\Gagodu\ibqy.yko

Filesize
345B

MD5
9cc593ec573b3a9f11a3e4105d968044

SHA1
5f02ab63bb853878e239c7efff6a9539ad1b0f17

SHA256
aa10873aef55a8ec08ded0d4d93aeaf78ed7af89da68a4bdb17b2f5bd1dcef61

SHA512
e42530e97cb203b1224d15cbe96282bb977f5e91ce1cd267ce071ff12ff8a8170bda4010ef4d7693a1271fec1b7127eff5f705dafd701d059a7cfbb1b221f333

Download Submit
\Users\Admin\AppData\Local\Temp\FB_ABF8.tmp.exe

Filesize
138KB

MD5
7f5da25c7eaa97d92532d22160abc7e2

SHA1
0630ecfacd812605dcc86fc38ad05c5aac089fb0

SHA256
dc2510ab9a346ec323946b518264180be6be672c116e0911aede5e85ede7bfc8

SHA512
e676f6434bc371a66ac4b908587290d1ccf6afe1eb7573e3c4e9ea6dbc6fb15ec37f3c5f90d14599db0d51f097e51c45c485cdc77ec3584e8f92eb96c04928d3

Download Submit
\Users\Admin\AppData\Local\Temp\FB_AC66.tmp.exe

Filesize
34KB

MD5
8445ad8edaca0218f02c94fd227e3f83

SHA1
9902c7ff62c6e0d1bad3a8876e48c835f6cfb857

SHA256
a3910669d44d2a6f9f38a4764bd8a86bfc52efec95ec1cbae0ca6d98e7fe10c2

SHA512
9dfcb3acf39306102b4b2dba6d319807a10d99e5bbb3b3d2df553c3ddd28ca19f3a5b3a2a2a76c09a0b844315899e245562ec766569ac9e6330a3cabc2714ca2

Download Submit
\Users\Admin\AppData\Roaming\Okefxi\imyxk.exe

Filesize
138KB

MD5
b021004c8de29d23eaf5e273f4dd6ab4

SHA1
9ef05203c8656a845b948a8ed9fff8fce1ecc353

SHA256
de07eb2e0908c7cd8345a8f822b6ae5121f345abe7a874946b071043ab978664

SHA512
91cd39d889b919d80f81d77a588fa9310390afbf1a4dedc7e596b157541255928caa50771272007f0ad151fa447d626d0311639844fa4f2465fcf237624d5563

Download Submit
memory/852-47-0x0000000001DB0000-0x0000000001DD7000-memory.dmp

Filesize
156KB

Download
memory/852-48-0x0000000001DB0000-0x0000000001DD7000-memory.dmp

Filesize
156KB

Download
memory/852-49-0x0000000001DB0000-0x0000000001DD7000-memory.dmp

Filesize
156KB

Download
memory/852-50-0x0000000001DB0000-0x0000000001DD7000-memory.dmp

Filesize
156KB

Download
memory/1108-33-0x0000000002080000-0x00000000020A7000-memory.dmp

Filesize
156KB

Download
memory/1108-35-0x0000000002080000-0x00000000020A7000-memory.dmp

Filesize
156KB

Download
memory/1108-34-0x0000000002080000-0x00000000020A7000-memory.dmp

Filesize
156KB

Download
memory/1108-31-0x0000000002080000-0x00000000020A7000-memory.dmp

Filesize
156KB

Download
memory/1108-32-0x0000000002080000-0x00000000020A7000-memory.dmp

Filesize
156KB

Download
memory/1172-38-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1172-37-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1172-40-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1172-39-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1208-44-0x0000000002D90000-0x0000000002DB7000-memory.dmp

Filesize
156KB

Download
memory/1208-42-0x0000000002D90000-0x0000000002DB7000-memory.dmp

Filesize
156KB

Download
memory/1208-43-0x0000000002D90000-0x0000000002DB7000-memory.dmp

Filesize
156KB

Download
memory/1208-45-0x0000000002D90000-0x0000000002DB7000-memory.dmp

Filesize
156KB

Download
memory/1816-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2080-60-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-93-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-62-0x0000000077E20000-0x0000000077E21000-memory.dmp

Filesize
4KB

Download
memory/2080-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-58-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-65-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-69-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-79-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-71-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-73-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-77-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-67-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-52-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2080-53-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2080-95-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-75-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-91-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-89-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-87-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-85-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-83-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-81-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-142-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2080-54-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2080-345-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2080-55-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2080-56-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2080-57-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2276-452-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2276-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2276-484-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download