pony | ab479389ce28fb6d30f6b6c60346aed6aba5d32b6a5c2e41cb8e7a640d4a5c91

Analysis

max time kernel
98s
max time network
92s
platform
windows10_x64
resource
win10v20210408
submitted
13-07-2021 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pony_test001.exe
Size

2.6MB
MD5

ae95ec88d9b9ff869181e6fe2c60ca6f
SHA1

0f24a43b088b64d19f1bce99e80f80108005ad02
SHA256

ab479389ce28fb6d30f6b6c60346aed6aba5d32b6a5c2e41cb8e7a640d4a5c91
SHA512

626a2702c0c9ddfcea1af665d80673520002b00f1a3c190709671c878e83d86b71b71d8e281fb21b49ec5a8847b677bbd157e6a8962e601ad183c6c4be4bc994

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2384	explorer.exe
1496	explorer.exe
800	explorer.exe
1808	spoolsv.exe
3816	spoolsv.exe
1552	spoolsv.exe
2020	spoolsv.exe
3232	spoolsv.exe
2804	spoolsv.exe
3908	spoolsv.exe
2284	spoolsv.exe
1124	spoolsv.exe
196	spoolsv.exe
2420	spoolsv.exe
2244	spoolsv.exe
788	spoolsv.exe
64	spoolsv.exe
3944	spoolsv.exe
1356	spoolsv.exe
3576	spoolsv.exe
684	spoolsv.exe
3132	spoolsv.exe
1992	spoolsv.exe
2080	spoolsv.exe
3832	spoolsv.exe
720	spoolsv.exe
3228	spoolsv.exe
2552	spoolsv.exe
3584	spoolsv.exe
3232	spoolsv.exe
2816	spoolsv.exe
4084	spoolsv.exe
2260	spoolsv.exe
1124	spoolsv.exe
3148	spoolsv.exe
1636	spoolsv.exe
2880	spoolsv.exe
1336	spoolsv.exe
2384	spoolsv.exe
3100	spoolsv.exe
3708	spoolsv.exe
3192	spoolsv.exe
2008	spoolsv.exe
3696	spoolsv.exe
1528	spoolsv.exe
1452	spoolsv.exe
3680	spoolsv.exe
768	spoolsv.exe
3232	spoolsv.exe
3672	spoolsv.exe
3164	spoolsv.exe
2956	spoolsv.exe
1124	spoolsv.exe
904	spoolsv.exe
716	spoolsv.exe
4060	spoolsv.exe
3904	spoolsv.exe
3504	spoolsv.exe
2064	spoolsv.exe
2848	spoolsv.exe
720	spoolsv.exe
1156	spoolsv.exe
1452	spoolsv.exe
4048	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 2 IoCs

Processes:

pony_test001.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pony_test001.exe	pony_test001.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pony_test001.exe	pony_test001.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

pony_test001.exepony_test001.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 636 set thread context of 2864	636	pony_test001.exe	pony_test001.exe
PID 2864 set thread context of 1940	2864	pony_test001.exe	pony_test001.exe
PID 2384 set thread context of 1496	2384	explorer.exe	explorer.exe
PID 1496 set thread context of 800	1496	explorer.exe	explorer.exe
PID 1808 set thread context of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1552 set thread context of 2020	1552	spoolsv.exe	spoolsv.exe
PID 3232 set thread context of 2804	3232	spoolsv.exe	spoolsv.exe
PID 3908 set thread context of 2284	3908	spoolsv.exe	spoolsv.exe
PID 1124 set thread context of 196	1124	spoolsv.exe	spoolsv.exe
PID 2420 set thread context of 2244	2420	spoolsv.exe	spoolsv.exe
PID 788 set thread context of 64	788	spoolsv.exe	spoolsv.exe
PID 3944 set thread context of 1356	3944	spoolsv.exe	spoolsv.exe
PID 3576 set thread context of 684	3576	spoolsv.exe	spoolsv.exe
PID 3132 set thread context of 1992	3132	spoolsv.exe	spoolsv.exe
PID 2080 set thread context of 3832	2080	spoolsv.exe	spoolsv.exe
PID 720 set thread context of 3228	720	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 3584	2552	spoolsv.exe	spoolsv.exe
PID 3232 set thread context of 2816	3232	spoolsv.exe	spoolsv.exe
PID 4084 set thread context of 2260	4084	spoolsv.exe	spoolsv.exe
PID 1124 set thread context of 3148	1124	spoolsv.exe	spoolsv.exe
PID 1636 set thread context of 2880	1636	spoolsv.exe	spoolsv.exe
PID 1336 set thread context of 2384	1336	spoolsv.exe	spoolsv.exe
PID 3100 set thread context of 3708	3100	spoolsv.exe	spoolsv.exe
PID 3192 set thread context of 2008	3192	spoolsv.exe	spoolsv.exe
PID 3696 set thread context of 1528	3696	spoolsv.exe	spoolsv.exe
PID 1452 set thread context of 3680	1452	spoolsv.exe	spoolsv.exe
PID 768 set thread context of 3232	768	spoolsv.exe	spoolsv.exe
PID 3672 set thread context of 3164	3672	spoolsv.exe	spoolsv.exe
PID 2956 set thread context of 1124	2956	spoolsv.exe	spoolsv.exe
PID 904 set thread context of 716	904	spoolsv.exe	spoolsv.exe
PID 4060 set thread context of 3904	4060	spoolsv.exe	spoolsv.exe
PID 3504 set thread context of 2064	3504	spoolsv.exe	spoolsv.exe
PID 2848 set thread context of 720	2848	spoolsv.exe	spoolsv.exe
PID 1156 set thread context of 1452	1156	spoolsv.exe	spoolsv.exe
PID 4048 set thread context of 768	4048	spoolsv.exe	spoolsv.exe
PID 200 set thread context of 2204	200	spoolsv.exe	spoolsv.exe
PID 416 set thread context of 788	416	spoolsv.exe	spoolsv.exe
PID 2184 set thread context of 1448	2184	spoolsv.exe	spoolsv.exe
PID 3796 set thread context of 3576	3796	spoolsv.exe	spoolsv.exe
PID 1568 set thread context of 3492	1568	spoolsv.exe	spoolsv.exe
PID 3824 set thread context of 2208	3824	spoolsv.exe	spoolsv.exe
PID 4048 set thread context of 3908	4048	spoolsv.exe	spoolsv.exe
PID 3024 set thread context of 3768	3024	spoolsv.exe	spoolsv.exe
PID 3100 set thread context of 3796	3100	spoolsv.exe	spoolsv.exe
PID 1664 set thread context of 4000	1664	spoolsv.exe	spoolsv.exe
PID 1116 set thread context of 904	1116	spoolsv.exe	spoolsv.exe
PID 3184 set thread context of 1624	3184	spoolsv.exe	spoolsv.exe
PID 3500 set thread context of 2492	3500	spoolsv.exe	spoolsv.exe
PID 1116 set thread context of 416	1116	spoolsv.exe	spoolsv.exe
PID 3192 set thread context of 1028	3192	spoolsv.exe	spoolsv.exe
PID 2200 set thread context of 4048	2200	spoolsv.exe	spoolsv.exe
PID 3192 set thread context of 3392	3192	spoolsv.exe	spoolsv.exe
PID 1116 set thread context of 4108	1116	spoolsv.exe	spoolsv.exe
PID 4128 set thread context of 4152	4128	spoolsv.exe	spoolsv.exe
PID 4196 set thread context of 4220	4196	spoolsv.exe	spoolsv.exe
PID 4240 set thread context of 4264	4240	spoolsv.exe	spoolsv.exe
PID 4284 set thread context of 4308	4284	spoolsv.exe	spoolsv.exe
PID 4328 set thread context of 4360	4328	spoolsv.exe	spoolsv.exe
PID 4380 set thread context of 4404	4380	spoolsv.exe	spoolsv.exe
PID 3816 set thread context of 4448	3816	spoolsv.exe	spoolsv.exe
PID 4424 set thread context of 4464	4424	spoolsv.exe	spoolsv.exe
PID 4504 set thread context of 4528	4504	spoolsv.exe	spoolsv.exe
PID 4556 set thread context of 4580	4556	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 4600	2020	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepony_test001.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	pony_test001.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pony_test001.exeexplorer.exe

pid	process
1940	pony_test001.exe
1940	pony_test001.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe
800	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
636	pony_test001.exe
1940	pony_test001.exe
1940	pony_test001.exe
2384	explorer.exe
800	explorer.exe
800	explorer.exe
1808	spoolsv.exe
800	explorer.exe
800	explorer.exe
1552	spoolsv.exe
3232	spoolsv.exe
3908	spoolsv.exe
1124	spoolsv.exe
2420	spoolsv.exe
788	spoolsv.exe
3944	spoolsv.exe
3576	spoolsv.exe
3132	spoolsv.exe
2080	spoolsv.exe
720	spoolsv.exe
2552	spoolsv.exe
3232	spoolsv.exe
4084	spoolsv.exe
1124	spoolsv.exe
1636	spoolsv.exe
1336	spoolsv.exe
3100	spoolsv.exe
3192	spoolsv.exe
3696	spoolsv.exe
1452	spoolsv.exe
768	spoolsv.exe
3672	spoolsv.exe
2956	spoolsv.exe
904	spoolsv.exe
4060	spoolsv.exe
3504	spoolsv.exe
2848	spoolsv.exe
1156	spoolsv.exe
4048	spoolsv.exe
200	spoolsv.exe
416	spoolsv.exe
2184	spoolsv.exe
3796	spoolsv.exe
1568	spoolsv.exe
3824	spoolsv.exe
4048	spoolsv.exe
3024	spoolsv.exe
3100	spoolsv.exe
1664	spoolsv.exe
1116	spoolsv.exe
3184	spoolsv.exe
3500	spoolsv.exe
1116	spoolsv.exe
3192	spoolsv.exe
2200	spoolsv.exe
3192	spoolsv.exe
1116	spoolsv.exe
4128	spoolsv.exe
4196	spoolsv.exe
4240	spoolsv.exe
4284	spoolsv.exe
4328	spoolsv.exe
4380	spoolsv.exe
4424	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pony_test001.exepony_test001.exepony_test001.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 636 wrote to memory of 2864	636	pony_test001.exe	pony_test001.exe
PID 2864 wrote to memory of 1940	2864	pony_test001.exe	pony_test001.exe
PID 2864 wrote to memory of 1940	2864	pony_test001.exe	pony_test001.exe
PID 2864 wrote to memory of 1940	2864	pony_test001.exe	pony_test001.exe
PID 2864 wrote to memory of 1940	2864	pony_test001.exe	pony_test001.exe
PID 2864 wrote to memory of 1940	2864	pony_test001.exe	pony_test001.exe
PID 1940 wrote to memory of 2384	1940	pony_test001.exe	explorer.exe
PID 1940 wrote to memory of 2384	1940	pony_test001.exe	explorer.exe
PID 1940 wrote to memory of 2384	1940	pony_test001.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 2384 wrote to memory of 1496	2384	explorer.exe	explorer.exe
PID 1496 wrote to memory of 800	1496	explorer.exe	explorer.exe
PID 1496 wrote to memory of 800	1496	explorer.exe	explorer.exe
PID 1496 wrote to memory of 800	1496	explorer.exe	explorer.exe
PID 1496 wrote to memory of 800	1496	explorer.exe	explorer.exe
PID 1496 wrote to memory of 800	1496	explorer.exe	explorer.exe
PID 800 wrote to memory of 1808	800	explorer.exe	spoolsv.exe
PID 800 wrote to memory of 1808	800	explorer.exe	spoolsv.exe
PID 800 wrote to memory of 1808	800	explorer.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 1808 wrote to memory of 3816	1808	spoolsv.exe	spoolsv.exe
PID 800 wrote to memory of 1552	800	explorer.exe	spoolsv.exe
PID 800 wrote to memory of 1552	800	explorer.exe	spoolsv.exe
PID 800 wrote to memory of 1552	800	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 2020	1552	spoolsv.exe	spoolsv.exe
PID 1552 wrote to memory of 2020	1552	spoolsv.exe	spoolsv.exe
PID 1552 wrote to memory of 2020	1552	spoolsv.exe	spoolsv.exe
PID 1552 wrote to memory of 2020	1552	spoolsv.exe	spoolsv.exe
PID 1552 wrote to memory of 2020	1552	spoolsv.exe	spoolsv.exe
PID 1552 wrote to memory of 2020	1552	spoolsv.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\pony_test001.exe
"C:\Users\Admin\AppData\Local\Temp\pony_test001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\pony_test001.exe
"C:\Users\Admin\AppData\Local\Temp\pony_test001.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\pony_test001.exe
"C:\Users\Admin\AppData\Local\Temp\pony_test001.exe"
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1496

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3816

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2020

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2804

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2284

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:196

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2244

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:64

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5044

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1356

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:5024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4128

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
MD5
8447c59f2a99f7fad6959583742c24e4

SHA1
35c4bd13e51cf79d463c75ab849423172b3356a1

SHA256
f7bc7700cf3e443cd7765afad8c35a513ffccc8211f5bcb9a2be4c85fd549f77

SHA512
833736d35126ba7eb3a15c13a7652602bff286a219363e7240def1c5ff174b7a1a4a83a63ac829135c18e5bb6223adf4f5e1fdd0e2f6767238adead1c4425045

Download Submit
C:\Windows\System\explorer.exe
MD5
8447c59f2a99f7fad6959583742c24e4

SHA1
35c4bd13e51cf79d463c75ab849423172b3356a1

SHA256
f7bc7700cf3e443cd7765afad8c35a513ffccc8211f5bcb9a2be4c85fd549f77

SHA512
833736d35126ba7eb3a15c13a7652602bff286a219363e7240def1c5ff174b7a1a4a83a63ac829135c18e5bb6223adf4f5e1fdd0e2f6767238adead1c4425045

Download Submit
C:\Windows\System\explorer.exe
MD5
8447c59f2a99f7fad6959583742c24e4

SHA1
35c4bd13e51cf79d463c75ab849423172b3356a1

SHA256
f7bc7700cf3e443cd7765afad8c35a513ffccc8211f5bcb9a2be4c85fd549f77

SHA512
833736d35126ba7eb3a15c13a7652602bff286a219363e7240def1c5ff174b7a1a4a83a63ac829135c18e5bb6223adf4f5e1fdd0e2f6767238adead1c4425045

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
\??\c:\windows\system\explorer.exe
MD5
8447c59f2a99f7fad6959583742c24e4

SHA1
35c4bd13e51cf79d463c75ab849423172b3356a1

SHA256
f7bc7700cf3e443cd7765afad8c35a513ffccc8211f5bcb9a2be4c85fd549f77

SHA512
833736d35126ba7eb3a15c13a7652602bff286a219363e7240def1c5ff174b7a1a4a83a63ac829135c18e5bb6223adf4f5e1fdd0e2f6767238adead1c4425045

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
66fa57ee1809b5a9943d9ce051c60b0f

SHA1
7ad9a62ebbc136a97d2161579aca48c7c97ab195

SHA256
422b71a511d1b98b749e107ff325258f7dbd525122169c44cea618f8ab308072

SHA512
7d1846c6da9102c9db2636cbc810a716a3224fca4f536c0cc0160fc696c35a6d057c892fac5a8d3d4a601a951d070b046771bf46c97344adbc67fddbc8c0b6e0

Download Submit
memory/64-203-0x000000000046D1F4-mapping.dmp

Download
memory/64-207-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/196-191-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/196-186-0x000000000046D1F4-mapping.dmp

Download
memory/416-453-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/684-228-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/684-222-0x000000000046D1F4-mapping.dmp

Download
memory/716-359-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/716-356-0x000000000046D1F4-mapping.dmp

Download
memory/720-372-0x000000000046D1F4-mapping.dmp

Download
memory/720-242-0x0000000000000000-mapping.dmp

Download
memory/768-391-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/768-331-0x0000000000000000-mapping.dmp

Download
memory/788-197-0x0000000000000000-mapping.dmp

Download
memory/788-393-0x0000000000710000-0x000000000085A000-memory.dmp

Filesize
1.3MB

Download
memory/800-138-0x0000000000403670-mapping.dmp

Download
memory/904-433-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/904-352-0x0000000000000000-mapping.dmp

Download
memory/1028-455-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/1124-179-0x0000000000000000-mapping.dmp

Download
memory/1124-350-0x0000000000710000-0x000000000085A000-memory.dmp

Filesize
1.3MB

Download
memory/1124-348-0x000000000046D1F4-mapping.dmp

Download
memory/1124-278-0x0000000000000000-mapping.dmp

Download
memory/1156-373-0x0000000000000000-mapping.dmp

Download
memory/1336-296-0x0000000000000000-mapping.dmp

Download
memory/1356-213-0x000000000046D1F4-mapping.dmp

Download
memory/1356-217-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1448-394-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1452-326-0x0000000000000000-mapping.dmp

Download
memory/1452-390-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/1496-132-0x000000000046D1F4-mapping.dmp

Download
memory/1496-136-0x00000000006F0000-0x000000000083A000-memory.dmp

Filesize
1.3MB

Download
memory/1496-135-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1528-325-0x000000000046D1F4-mapping.dmp

Download
memory/1528-334-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/1552-151-0x0000000000000000-mapping.dmp

Download
memory/1624-434-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1636-288-0x0000000000000000-mapping.dmp

Download
memory/1808-143-0x0000000000000000-mapping.dmp

Download
memory/1940-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-121-0x0000000000403670-mapping.dmp

Download
memory/1940-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-231-0x000000000046D1F4-mapping.dmp

Download
memory/1992-240-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/2008-320-0x000000000046D1F4-mapping.dmp

Download
memory/2008-332-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2020-157-0x000000000046D1F4-mapping.dmp

Download
memory/2020-161-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2064-367-0x000000000046D1F4-mapping.dmp

Download
memory/2080-233-0x0000000000000000-mapping.dmp

Download
memory/2204-392-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2208-413-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/2244-206-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2244-195-0x000000000046D1F4-mapping.dmp

Download
memory/2260-286-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2260-276-0x000000000046D1F4-mapping.dmp

Download
memory/2284-176-0x000000000046D1F4-mapping.dmp

Download
memory/2284-180-0x00000000006C0000-0x000000000080A000-memory.dmp

Filesize
1.3MB

Download
memory/2384-310-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2384-125-0x0000000000000000-mapping.dmp

Download
memory/2384-302-0x000000000046D1F4-mapping.dmp

Download
memory/2420-188-0x0000000000000000-mapping.dmp

Download
memory/2492-431-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2552-252-0x0000000000000000-mapping.dmp

Download
memory/2804-178-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2804-168-0x000000000046D1F4-mapping.dmp

Download
memory/2816-272-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2816-267-0x000000000046D1F4-mapping.dmp

Download
memory/2848-368-0x0000000000000000-mapping.dmp

Download
memory/2864-118-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2864-119-0x0000000000670000-0x000000000071E000-memory.dmp

Filesize
696KB

Download
memory/2864-117-0x000000000046D1F4-mapping.dmp

Download
memory/2864-116-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2880-294-0x000000000046D1F4-mapping.dmp

Download
memory/2880-307-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/2956-344-0x0000000000000000-mapping.dmp

Download
memory/3100-304-0x0000000000000000-mapping.dmp

Download
memory/3132-224-0x0000000000000000-mapping.dmp

Download
memory/3148-284-0x000000000046D1F4-mapping.dmp

Download
memory/3148-287-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3164-343-0x000000000046D1F4-mapping.dmp

Download
memory/3164-351-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3192-314-0x0000000000000000-mapping.dmp

Download
memory/3228-248-0x000000000046D1F4-mapping.dmp

Download
memory/3228-251-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3232-260-0x0000000000000000-mapping.dmp

Download
memory/3232-162-0x0000000000000000-mapping.dmp

Download
memory/3232-338-0x000000000046D1F4-mapping.dmp

Download
memory/3232-349-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/3392-457-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/3492-412-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3504-363-0x0000000000000000-mapping.dmp

Download
memory/3576-410-0x0000000000630000-0x000000000077A000-memory.dmp

Filesize
1.3MB

Download
memory/3576-215-0x0000000000000000-mapping.dmp

Download
memory/3584-263-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/3584-258-0x000000000046D1F4-mapping.dmp

Download
memory/3672-339-0x0000000000000000-mapping.dmp

Download
memory/3680-330-0x000000000046D1F4-mapping.dmp

Download
memory/3680-336-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3696-321-0x0000000000000000-mapping.dmp

Download
memory/3708-312-0x000000000046D1F4-mapping.dmp

Download
memory/3768-411-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3796-430-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3816-159-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3816-149-0x000000000046D1F4-mapping.dmp

Download
memory/3816-160-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/3832-239-0x000000000046D1F4-mapping.dmp

Download
memory/3832-250-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3904-374-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3904-362-0x000000000046D1F4-mapping.dmp

Download
memory/3908-170-0x0000000000000000-mapping.dmp

Download
memory/3908-414-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/3944-205-0x0000000000000000-mapping.dmp

Download
memory/4000-432-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4048-456-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4060-357-0x0000000000000000-mapping.dmp

Download
memory/4084-269-0x0000000000000000-mapping.dmp

Download
memory/4108-458-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4152-454-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/4264-469-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/4308-470-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4360-479-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/4464-487-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/4528-488-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4580-493-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4716-507-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4804-515-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download
memory/4900-523-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/5024-532-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads