pony | 7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
Size

412KB
MD5

6c7fd946880c60b80cce8f628df5a08e
SHA1

032454e6654a031ab87fc7d868c4f50336d99905
SHA256

7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5
SHA512

a0c727e2052d3ad04e76712f3392b9ccc419bc46d6804603117a045bdc3135990fe9e7ec90b37d82f7151c3fb79013573b7b0c53566fb9dc287de3cff482ad06
SSDEEP

3072:r+1Odly+68UI7ubv+CrV5tNDVIeROnhMReHHvWMagAdfsFcy6fsFcyybDUgL+wfK:rzlP6gIG6DJIvdHHvcPal

Score

10^/10

pony collection persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://payquick.net84.net/amby/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 3 IoCs

pid	Process
5028	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	BthHFSrv.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\NcbService.exe"	NcbService.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4456 set thread context of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 set thread context of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
5028	NcbService.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
5028	NcbService.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
5028	NcbService.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
5028	NcbService.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
3332	BthHFSrv.exe
3332	BthHFSrv.exe
3332	BthHFSrv.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe
4836	NcbService.exe
3332	BthHFSrv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
Token: SeImpersonatePrivilege	2640	vbc.exe
Token: SeTcbPrivilege	2640	vbc.exe
Token: SeChangeNotifyPrivilege	2640	vbc.exe
Token: SeCreateTokenPrivilege	2640	vbc.exe
Token: SeBackupPrivilege	2640	vbc.exe
Token: SeRestorePrivilege	2640	vbc.exe
Token: SeIncreaseQuotaPrivilege	2640	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2640	vbc.exe
Token: SeDebugPrivilege	5028	NcbService.exe
Token: SeImpersonatePrivilege	2640	vbc.exe
Token: SeTcbPrivilege	2640	vbc.exe
Token: SeChangeNotifyPrivilege	2640	vbc.exe
Token: SeCreateTokenPrivilege	2640	vbc.exe
Token: SeBackupPrivilege	2640	vbc.exe
Token: SeRestorePrivilege	2640	vbc.exe
Token: SeIncreaseQuotaPrivilege	2640	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2640	vbc.exe
Token: SeImpersonatePrivilege	2640	vbc.exe
Token: SeTcbPrivilege	2640	vbc.exe
Token: SeChangeNotifyPrivilege	2640	vbc.exe
Token: SeCreateTokenPrivilege	2640	vbc.exe
Token: SeBackupPrivilege	2640	vbc.exe
Token: SeRestorePrivilege	2640	vbc.exe
Token: SeIncreaseQuotaPrivilege	2640	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2640	vbc.exe
Token: SeImpersonatePrivilege	2640	vbc.exe
Token: SeTcbPrivilege	2640	vbc.exe
Token: SeChangeNotifyPrivilege	2640	vbc.exe
Token: SeCreateTokenPrivilege	2640	vbc.exe
Token: SeBackupPrivilege	2640	vbc.exe
Token: SeRestorePrivilege	2640	vbc.exe
Token: SeIncreaseQuotaPrivilege	2640	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2640	vbc.exe
Token: SeImpersonatePrivilege	2640	vbc.exe
Token: SeTcbPrivilege	2640	vbc.exe
Token: SeChangeNotifyPrivilege	2640	vbc.exe
Token: SeCreateTokenPrivilege	2640	vbc.exe
Token: SeBackupPrivilege	2640	vbc.exe
Token: SeRestorePrivilege	2640	vbc.exe
Token: SeIncreaseQuotaPrivilege	2640	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2640	vbc.exe
Token: SeImpersonatePrivilege	2640	vbc.exe
Token: SeTcbPrivilege	2640	vbc.exe
Token: SeChangeNotifyPrivilege	2640	vbc.exe
Token: SeCreateTokenPrivilege	2640	vbc.exe
Token: SeBackupPrivilege	2640	vbc.exe
Token: SeRestorePrivilege	2640	vbc.exe
Token: SeIncreaseQuotaPrivilege	2640	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2640	vbc.exe
Token: SeDebugPrivilege	3332	BthHFSrv.exe
Token: SeImpersonatePrivilege	4168	vbc.exe
Token: SeTcbPrivilege	4168	vbc.exe
Token: SeChangeNotifyPrivilege	4168	vbc.exe
Token: SeCreateTokenPrivilege	4168	vbc.exe
Token: SeBackupPrivilege	4168	vbc.exe
Token: SeRestorePrivilege	4168	vbc.exe
Token: SeIncreaseQuotaPrivilege	4168	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	4168	vbc.exe
Token: SeImpersonatePrivilege	4168	vbc.exe
Token: SeTcbPrivilege	4168	vbc.exe
Token: SeChangeNotifyPrivilege	4168	vbc.exe
Token: SeCreateTokenPrivilege	4168	vbc.exe
Token: SeBackupPrivilege	4168	vbc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 wrote to memory of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 wrote to memory of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 wrote to memory of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 wrote to memory of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 wrote to memory of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 wrote to memory of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 wrote to memory of 2640	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	86
PID 4456 wrote to memory of 5028	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	87
PID 4456 wrote to memory of 5028	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	87
PID 4456 wrote to memory of 5028	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	87
PID 5028 wrote to memory of 3332	5028	NcbService.exe	88
PID 5028 wrote to memory of 3332	5028	NcbService.exe	88
PID 5028 wrote to memory of 3332	5028	NcbService.exe	88
PID 2640 wrote to memory of 2224	2640	vbc.exe	89
PID 2640 wrote to memory of 2224	2640	vbc.exe	89
PID 2640 wrote to memory of 2224	2640	vbc.exe	89
PID 4456 wrote to memory of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91
PID 4456 wrote to memory of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91
PID 4456 wrote to memory of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91
PID 4456 wrote to memory of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91
PID 4456 wrote to memory of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91
PID 4456 wrote to memory of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91
PID 4456 wrote to memory of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91
PID 4456 wrote to memory of 4168	4456	7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe	91
PID 4168 wrote to memory of 3988	4168	vbc.exe	92
PID 4168 wrote to memory of 3988	4168	vbc.exe	92
PID 4168 wrote to memory of 3988	4168	vbc.exe	92
PID 3332 wrote to memory of 4836	3332	BthHFSrv.exe	94
PID 3332 wrote to memory of 4836	3332	BthHFSrv.exe	94
PID 3332 wrote to memory of 4836	3332	BthHFSrv.exe	94

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe
"C:\Users\Admin\AppData\Local\Temp\7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240586953.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
    3⤵
    PID:2224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\BthHFSrv.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\BthHFSrv
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4836
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240588875.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
    3⤵
    PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NcbService.exe.log

Filesize
404B

MD5
15b6596d028baa2a113143d1828bcc36

SHA1
f1be43126c4e765fe499718c388823d44bf1fef1

SHA256
529f9fde2234067382b4c6fb8e5aee49d8a8b1b85c82b0bdae425fa2a0264f75

SHA512
f2a6cb8498f596c7bf9178ea32a245dbb3657f43a179f378ce952ce5cb8580810cd67ef1efb623bcf6cd796d74e2c9b7bc42cb8665ead397546ce3b400181e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\240586953.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\240588875.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\BthHFSrv.exe

Filesize
412KB

MD5
6c7fd946880c60b80cce8f628df5a08e

SHA1
032454e6654a031ab87fc7d868c4f50336d99905

SHA256
7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5

SHA512
a0c727e2052d3ad04e76712f3392b9ccc419bc46d6804603117a045bdc3135990fe9e7ec90b37d82f7151c3fb79013573b7b0c53566fb9dc287de3cff482ad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\BthHFSrv.exe

Filesize
412KB

MD5
6c7fd946880c60b80cce8f628df5a08e

SHA1
032454e6654a031ab87fc7d868c4f50336d99905

SHA256
7dfcb93e0885d7d43afc9eabb265f8519df7684d76d199c9c90254ca058ebdb5

SHA512
a0c727e2052d3ad04e76712f3392b9ccc419bc46d6804603117a045bdc3135990fe9e7ec90b37d82f7151c3fb79013573b7b0c53566fb9dc287de3cff482ad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
memory/2640-141-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2640-147-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2640-135-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2640-137-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3332-165-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3332-148-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4168-156-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4168-153-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4168-158-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4456-155-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4456-132-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4456-133-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4836-164-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4836-166-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/5028-150-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/5028-142-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download