pony | ab479389ce28fb6d30f6b6c60346aed6aba5d32b6a5c2e41cb8e7a640d4a5c91

Analysis

max time kernel
122s
max time network
15s
platform
windows7_x64
resource
win7v20210410
submitted
21-07-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pony.exe
Size

2.6MB
MD5

ae95ec88d9b9ff869181e6fe2c60ca6f
SHA1

0f24a43b088b64d19f1bce99e80f80108005ad02
SHA256

ab479389ce28fb6d30f6b6c60346aed6aba5d32b6a5c2e41cb8e7a640d4a5c91
SHA512

626a2702c0c9ddfcea1af665d80673520002b00f1a3c190709671c878e83d86b71b71d8e281fb21b49ec5a8847b677bbd157e6a8962e601ad183c6c4be4bc994

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1480	explorer.exe
1964	explorer.exe
1848	explorer.exe
980	spoolsv.exe
788	spoolsv.exe
1212	spoolsv.exe
1616	spoolsv.exe
1308	spoolsv.exe
1592	spoolsv.exe
804	spoolsv.exe
1472	spoolsv.exe
828	spoolsv.exe
1720	spoolsv.exe
1476	spoolsv.exe
1688	spoolsv.exe
1788	spoolsv.exe
560	spoolsv.exe
860	spoolsv.exe
1732	spoolsv.exe
1476	spoolsv.exe
728	spoolsv.exe
1480	spoolsv.exe
948	spoolsv.exe
652	spoolsv.exe
860	spoolsv.exe
1308	spoolsv.exe
1744	spoolsv.exe
2024	spoolsv.exe
652	spoolsv.exe
1824	spoolsv.exe
1948	spoolsv.exe
2000	spoolsv.exe
1176	spoolsv.exe
828	spoolsv.exe
1524	spoolsv.exe
1308	spoolsv.exe
2028	spoolsv.exe
756	spoolsv.exe
1544	spoolsv.exe
1816	spoolsv.exe
824	spoolsv.exe
756	spoolsv.exe
2044	spoolsv.exe
828	spoolsv.exe
668	spoolsv.exe
1052	spoolsv.exe
756	spoolsv.exe
960	spoolsv.exe
1740	spoolsv.exe
1568	spoolsv.exe
956	spoolsv.exe
1348	spoolsv.exe
2052	spoolsv.exe
2096	spoolsv.exe
2176	spoolsv.exe
2188	spoolsv.exe
2212	spoolsv.exe
2312	spoolsv.exe
2456	spoolsv.exe
2488	spoolsv.exe
2512	spoolsv.exe
2528	spoolsv.exe
2568	spoolsv.exe
2600	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 2 IoCs

Processes:

pony.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pony.exe	pony.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pony.exe	pony.exe

Loads dropped DLL 64 IoCs

Processes:

pony.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
992	pony.exe
992	pony.exe
1848	explorer.exe
1848	explorer.exe
980	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1212	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1308	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
804	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
828	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1476	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1788	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
860	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1476	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1480	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
652	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1308	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
2024	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1824	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
2000	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
828	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1308	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
756	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1816	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
756	spoolsv.exe
1848	explorer.exe
1848	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 39 IoCs

Processes:

pony.exepony.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1084 set thread context of 1148	1084	pony.exe	pony.exe
PID 1148 set thread context of 992	1148	pony.exe	pony.exe
PID 1480 set thread context of 1964	1480	explorer.exe	explorer.exe
PID 1964 set thread context of 1848	1964	explorer.exe	explorer.exe
PID 980 set thread context of 788	980	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 1616	1212	spoolsv.exe	spoolsv.exe
PID 1308 set thread context of 1592	1308	spoolsv.exe	spoolsv.exe
PID 804 set thread context of 1472	804	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 1720	828	spoolsv.exe	spoolsv.exe
PID 1476 set thread context of 1688	1476	spoolsv.exe	spoolsv.exe
PID 1788 set thread context of 560	1788	spoolsv.exe	spoolsv.exe
PID 860 set thread context of 1732	860	spoolsv.exe	spoolsv.exe
PID 1476 set thread context of 728	1476	spoolsv.exe	spoolsv.exe
PID 1480 set thread context of 948	1480	spoolsv.exe	spoolsv.exe
PID 652 set thread context of 860	652	spoolsv.exe	spoolsv.exe
PID 1308 set thread context of 1744	1308	spoolsv.exe	spoolsv.exe
PID 2024 set thread context of 652	2024	spoolsv.exe	spoolsv.exe
PID 1824 set thread context of 1948	1824	spoolsv.exe	spoolsv.exe
PID 2000 set thread context of 1176	2000	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 1524	828	spoolsv.exe	spoolsv.exe
PID 1308 set thread context of 2028	1308	spoolsv.exe	spoolsv.exe
PID 756 set thread context of 1544	756	spoolsv.exe	spoolsv.exe
PID 1816 set thread context of 824	1816	spoolsv.exe	spoolsv.exe
PID 756 set thread context of 2044	756	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 668	828	spoolsv.exe	spoolsv.exe
PID 1052 set thread context of 756	1052	spoolsv.exe	spoolsv.exe
PID 1740 set thread context of 1568	1740	spoolsv.exe	spoolsv.exe
PID 956 set thread context of 1348	956	spoolsv.exe	spoolsv.exe
PID 2052 set thread context of 2096	2052	spoolsv.exe	spoolsv.exe
PID 788 set thread context of 2188	788	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 2212	1616	spoolsv.exe	spoolsv.exe
PID 1592 set thread context of 2312	1592	spoolsv.exe	spoolsv.exe
PID 2176 set thread context of 2456	2176	spoolsv.exe	spoolsv.exe
PID 824 set thread context of 2444	824	spoolsv.exe	spoolsv.exe
PID 2488 set thread context of 2512	2488	spoolsv.exe	spoolsv.exe
PID 1472 set thread context of 2528	1472	spoolsv.exe	spoolsv.exe
PID 1720 set thread context of 2568	1720	spoolsv.exe	spoolsv.exe
PID 668 set thread context of 2580	668	spoolsv.exe	spoolsv.exe
PID 2600 set thread context of 2632	2600	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 53 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exepony.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepony.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	pony.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	pony.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

pony.exeexplorer.exe

pid	process
992	pony.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe

Suspicious use of SetWindowsHookEx 45 IoCs

Processes:

pid	process
1084	pony.exe
992	pony.exe
992	pony.exe
1480	explorer.exe
1848	explorer.exe
1848	explorer.exe
980	spoolsv.exe
1848	explorer.exe
1848	explorer.exe
1212	spoolsv.exe
1308	spoolsv.exe
804	spoolsv.exe
828	spoolsv.exe
1476	spoolsv.exe
1788	spoolsv.exe
860	spoolsv.exe
1476	spoolsv.exe
1480	spoolsv.exe
652	spoolsv.exe
1308	spoolsv.exe
2024	spoolsv.exe
1824	spoolsv.exe
2000	spoolsv.exe
828	spoolsv.exe
1308	spoolsv.exe
756	spoolsv.exe
1816	spoolsv.exe
756	spoolsv.exe
828	spoolsv.exe
1052	spoolsv.exe
1740	spoolsv.exe
956	spoolsv.exe
2052	spoolsv.exe
2188	spoolsv.exe
2212	spoolsv.exe
2188	spoolsv.exe
2312	spoolsv.exe
2176	spoolsv.exe
2312	spoolsv.exe
2212	spoolsv.exe
2488	spoolsv.exe
2600	spoolsv.exe
2528	spoolsv.exe
2568	spoolsv.exe
2568	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pony.exepony.exepony.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1084 wrote to memory of 1148	1084	pony.exe	pony.exe
PID 1148 wrote to memory of 1996	1148	pony.exe	splwow64.exe
PID 1148 wrote to memory of 1996	1148	pony.exe	splwow64.exe
PID 1148 wrote to memory of 1996	1148	pony.exe	splwow64.exe
PID 1148 wrote to memory of 1996	1148	pony.exe	splwow64.exe
PID 1148 wrote to memory of 992	1148	pony.exe	pony.exe
PID 1148 wrote to memory of 992	1148	pony.exe	pony.exe
PID 1148 wrote to memory of 992	1148	pony.exe	pony.exe
PID 1148 wrote to memory of 992	1148	pony.exe	pony.exe
PID 1148 wrote to memory of 992	1148	pony.exe	pony.exe
PID 1148 wrote to memory of 992	1148	pony.exe	pony.exe
PID 992 wrote to memory of 1480	992	pony.exe	explorer.exe
PID 992 wrote to memory of 1480	992	pony.exe	explorer.exe
PID 992 wrote to memory of 1480	992	pony.exe	explorer.exe
PID 992 wrote to memory of 1480	992	pony.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1480 wrote to memory of 1964	1480	explorer.exe	explorer.exe
PID 1964 wrote to memory of 1848	1964	explorer.exe	explorer.exe
PID 1964 wrote to memory of 1848	1964	explorer.exe	explorer.exe
PID 1964 wrote to memory of 1848	1964	explorer.exe	explorer.exe
PID 1964 wrote to memory of 1848	1964	explorer.exe	explorer.exe
PID 1964 wrote to memory of 1848	1964	explorer.exe	explorer.exe
PID 1964 wrote to memory of 1848	1964	explorer.exe	explorer.exe
PID 1848 wrote to memory of 980	1848	explorer.exe	spoolsv.exe
PID 1848 wrote to memory of 980	1848	explorer.exe	spoolsv.exe
PID 1848 wrote to memory of 980	1848	explorer.exe	spoolsv.exe
PID 1848 wrote to memory of 980	1848	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 788	980	spoolsv.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\pony.exe
"C:\Users\Admin\AppData\Local\Temp\pony.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\pony.exe
"C:\Users\Admin\AppData\Local\Temp\pony.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\pony.exe
"C:\Users\Admin\AppData\Local\Temp\pony.exe"
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1964

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:788

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1616

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1592

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1472

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1720

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1688

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:560

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1732

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:728

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:948

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:860

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1744

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:652

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1948

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1176

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1524

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:824

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2044

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:668

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:756

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:932

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\system\explorer.exe
MD5
33ac6d48bef37573ca8a87c1eeb5ed34

SHA1
ea2873d2317a17d8ff3b9b3ba11d9295c81fe0af

SHA256
e5c49c69459d8f36d250e361c3f649addbbbe54ab79b5e456a901935a99eb8a0

SHA512
db6cba138e4decda995219353b9bbcf8b6e9c43053cb7878d9d24b687bd20a6364bda7f9cb801d59a09acef6e1a936c3e74f7f97e66f51144a19d6639ab56577

Download Submit
C:\Windows\system\explorer.exe
MD5
33ac6d48bef37573ca8a87c1eeb5ed34

SHA1
ea2873d2317a17d8ff3b9b3ba11d9295c81fe0af

SHA256
e5c49c69459d8f36d250e361c3f649addbbbe54ab79b5e456a901935a99eb8a0

SHA512
db6cba138e4decda995219353b9bbcf8b6e9c43053cb7878d9d24b687bd20a6364bda7f9cb801d59a09acef6e1a936c3e74f7f97e66f51144a19d6639ab56577

Download Submit
C:\Windows\system\explorer.exe
MD5
33ac6d48bef37573ca8a87c1eeb5ed34

SHA1
ea2873d2317a17d8ff3b9b3ba11d9295c81fe0af

SHA256
e5c49c69459d8f36d250e361c3f649addbbbe54ab79b5e456a901935a99eb8a0

SHA512
db6cba138e4decda995219353b9bbcf8b6e9c43053cb7878d9d24b687bd20a6364bda7f9cb801d59a09acef6e1a936c3e74f7f97e66f51144a19d6639ab56577

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\??\c:\windows\system\explorer.exe
MD5
33ac6d48bef37573ca8a87c1eeb5ed34

SHA1
ea2873d2317a17d8ff3b9b3ba11d9295c81fe0af

SHA256
e5c49c69459d8f36d250e361c3f649addbbbe54ab79b5e456a901935a99eb8a0

SHA512
db6cba138e4decda995219353b9bbcf8b6e9c43053cb7878d9d24b687bd20a6364bda7f9cb801d59a09acef6e1a936c3e74f7f97e66f51144a19d6639ab56577

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\explorer.exe
MD5
33ac6d48bef37573ca8a87c1eeb5ed34

SHA1
ea2873d2317a17d8ff3b9b3ba11d9295c81fe0af

SHA256
e5c49c69459d8f36d250e361c3f649addbbbe54ab79b5e456a901935a99eb8a0

SHA512
db6cba138e4decda995219353b9bbcf8b6e9c43053cb7878d9d24b687bd20a6364bda7f9cb801d59a09acef6e1a936c3e74f7f97e66f51144a19d6639ab56577

Download Submit
\Windows\system\explorer.exe
MD5
33ac6d48bef37573ca8a87c1eeb5ed34

SHA1
ea2873d2317a17d8ff3b9b3ba11d9295c81fe0af

SHA256
e5c49c69459d8f36d250e361c3f649addbbbe54ab79b5e456a901935a99eb8a0

SHA512
db6cba138e4decda995219353b9bbcf8b6e9c43053cb7878d9d24b687bd20a6364bda7f9cb801d59a09acef6e1a936c3e74f7f97e66f51144a19d6639ab56577

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
\Windows\system\spoolsv.exe
MD5
38b8fdfcfd9a3bfc0a90ac07d168cc58

SHA1
a4066d8c75bbe653dd95ca9b754cc192add697a3

SHA256
27366208af6592160abdd6a06b0822dc5d4654c3e40456abe2917665df15e2e3

SHA512
181ef4edbce22089dba4d32605fe978c4a125e29e4a0b27fcc6fdf6be0a5e5760f7f23fc42c832eeadec3997e8581031de10b2c9492c5b4783f85c20a316dd6b

Download Submit
memory/560-206-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/560-187-0x000000000046D1F4-mapping.dmp

Download
memory/652-221-0x0000000000000000-mapping.dmp

Download
memory/652-239-0x000000000046D1F4-mapping.dmp

Download
memory/652-248-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/668-301-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/668-294-0x000000000046D1F4-mapping.dmp

Download
memory/728-246-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/728-212-0x000000000046D1F4-mapping.dmp

Download
memory/756-284-0x0000000000000000-mapping.dmp

Download
memory/756-269-0x0000000000000000-mapping.dmp

Download
memory/756-302-0x000000000046D1F4-mapping.dmp

Download
memory/756-306-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/788-118-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/788-115-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/788-105-0x000000000046D1F4-mapping.dmp

Download
memory/804-135-0x0000000000000000-mapping.dmp

Download
memory/824-282-0x000000000046D1F4-mapping.dmp

Download
memory/828-255-0x0000000000000000-mapping.dmp

Download
memory/828-290-0x0000000000000000-mapping.dmp

Download
memory/828-153-0x0000000000000000-mapping.dmp

Download
memory/860-234-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/860-226-0x000000000046D1F4-mapping.dmp

Download
memory/860-195-0x0000000000000000-mapping.dmp

Download
memory/948-224-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/948-219-0x000000000046D1F4-mapping.dmp

Download
memory/956-313-0x0000000000000000-mapping.dmp

Download
memory/960-304-0x0000000000000000-mapping.dmp

Download
memory/980-98-0x0000000000000000-mapping.dmp

Download
memory/992-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/992-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/992-69-0x0000000000403670-mapping.dmp

Download
memory/1052-296-0x0000000000000000-mapping.dmp

Download
memory/1148-65-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1148-63-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1148-62-0x000000000046D1F4-mapping.dmp

Download
memory/1148-66-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1148-61-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1176-253-0x000000000046D1F4-mapping.dmp

Download
memory/1176-259-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1212-110-0x0000000000000000-mapping.dmp

Download
memory/1308-123-0x0000000000000000-mapping.dmp

Download
memory/1308-228-0x0000000000000000-mapping.dmp

Download
memory/1308-263-0x0000000000000000-mapping.dmp

Download
memory/1348-318-0x000000000046D1F4-mapping.dmp

Download
memory/1348-320-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1436-456-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1472-161-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1472-147-0x000000000046D1F4-mapping.dmp

Download
memory/1476-208-0x0000000000000000-mapping.dmp

Download
memory/1476-166-0x0000000000000000-mapping.dmp

Download
memory/1480-76-0x0000000000000000-mapping.dmp

Download
memory/1480-213-0x0000000000000000-mapping.dmp

Download
memory/1524-276-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1524-261-0x000000000046D1F4-mapping.dmp

Download
memory/1544-280-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1544-273-0x000000000046D1F4-mapping.dmp

Download
memory/1568-314-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1568-311-0x000000000046D1F4-mapping.dmp

Download
memory/1592-130-0x000000000046D1F4-mapping.dmp

Download
memory/1592-138-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1616-117-0x000000000046D1F4-mapping.dmp

Download
memory/1688-204-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-172-0x000000000046D1F4-mapping.dmp

Download
memory/1720-173-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-160-0x000000000046D1F4-mapping.dmp

Download
memory/1732-205-0x000000000046D1F4-mapping.dmp

Download
memory/1732-217-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1740-307-0x0000000000000000-mapping.dmp

Download
memory/1744-232-0x000000000046D1F4-mapping.dmp

Download
memory/1788-178-0x0000000000000000-mapping.dmp

Download
memory/1816-275-0x0000000000000000-mapping.dmp

Download
memory/1824-241-0x0000000000000000-mapping.dmp

Download
memory/1848-90-0x0000000000403670-mapping.dmp

Download
memory/1948-245-0x000000000046D1F4-mapping.dmp

Download
memory/1948-258-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1964-87-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1964-83-0x000000000046D1F4-mapping.dmp

Download
memory/1964-88-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1996-64-0x0000000000000000-mapping.dmp

Download
memory/1996-67-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/2000-249-0x0000000000000000-mapping.dmp

Download
memory/2024-235-0x0000000000000000-mapping.dmp

Download
memory/2028-267-0x000000000046D1F4-mapping.dmp

Download
memory/2028-277-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2044-300-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2044-288-0x000000000046D1F4-mapping.dmp

Download
memory/2052-321-0x0000000000000000-mapping.dmp

Download
memory/2076-458-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2096-325-0x000000000046D1F4-mapping.dmp

Download
memory/2096-327-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2128-472-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2176-328-0x0000000000000000-mapping.dmp

Download
memory/2188-332-0x0000000000403670-mapping.dmp

Download
memory/2212-333-0x0000000000403670-mapping.dmp

Download
memory/2312-340-0x0000000000403670-mapping.dmp

Download
memory/2456-348-0x000000000046D1F4-mapping.dmp

Download
memory/2456-350-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2488-351-0x0000000000000000-mapping.dmp

Download
memory/2492-479-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2508-471-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2512-355-0x000000000046D1F4-mapping.dmp

Download
memory/2756-492-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2860-403-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3012-438-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads