Overview

overview

10

Static

static

10

b59856f4b8...8N.exe

windows7-x64

10

b59856f4b8...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b59856f4b80bc5a2a29451c27055c68d66a39570d37c960f9ff1b84ff3e3bac8N.exe

  • Size

    2.2MB

  • MD5

    a383bc9543c8d706c922fa07454e0390

  • SHA1

    34a6bd58c7ffbd760473613a07213738bc5c59aa

  • SHA256

    b59856f4b80bc5a2a29451c27055c68d66a39570d37c960f9ff1b84ff3e3bac8

  • SHA512

    6a9444aa1a8f2f0f1912a6813657b40b69064299c2930e361966ea245fd03696bcd3e5301d23eb2fc3a4a8c72114c48a0747eeaf2ff8472e3ac01a1cc644f89b

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZV:0UzeyQMS4DqodCnoe+iitjWwwJ

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 33 IoCs
  • Drops file in Windows directory 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b59856f4b80bc5a2a29451c27055c68d66a39570d37c960f9ff1b84ff3e3bac8N.exe
    "C:\Users\Admin\AppData\Local\Temp\b59856f4b80bc5a2a29451c27055c68d66a39570d37c960f9ff1b84ff3e3bac8N.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:4408
      • C:\Users\Admin\AppData\Local\Temp\b59856f4b80bc5a2a29451c27055c68d66a39570d37c960f9ff1b84ff3e3bac8N.exe
        "C:\Users\Admin\AppData\Local\Temp\b59856f4b80bc5a2a29451c27055c68d66a39570d37c960f9ff1b84ff3e3bac8N.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3632
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:768
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2468
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4296
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3156
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:4076
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:5104
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1780
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2392
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1420
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1048
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4396
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2268
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1348
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4472
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3896
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2756
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:5112
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4952
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4928
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3480
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3820
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4212
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:964
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2708
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3188
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:2744
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:972
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3268
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:816
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2600
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1288
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1536
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1248
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3276
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3100
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3968
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1480
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2396
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1888
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:5116
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2984
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3212
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3140
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3544
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3368
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4856
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2904
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2288
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3688
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4548
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4448
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:4544
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3792
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3120
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4224
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3872
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2988
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:4704
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4900
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3352
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3624
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2504
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2028
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1484
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3900
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4568
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2460
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:4036
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3992
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4468
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:3720
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1664
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3112
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2160
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4436
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1520
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4820
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3528
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2800
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Drops file in Windows directory
              PID:4708
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • System Location Discovery: System Language Discovery
              PID:632
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
                PID:1280
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                  PID:1736
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
          1⤵
            PID:4460

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Parameters.ini
            Filesize

            74B

            MD5

            6687785d6a31cdf9a5f80acb3abc459b

            SHA1

            1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

            SHA256

            3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

            SHA512

            5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

            Download Submit

          • C:\Windows\System\explorer.exe
            Filesize

            2.2MB

            MD5

            2d4589c01b0437eace3cb736d8680422

            SHA1

            dbc7e8aac6edb7cc59e1297cee7b5dded32aca40

            SHA256

            bfc11c882a130310c10cf1672571f3e229c155fde51a78c0f4a7417156ea182f

            SHA512

            6d62b440506ac917f131cab3e21f1351babb017d9bffbf92bba38f89e5c65663f6b67c978a4ec17b660c3dcdcb6aa010fd116c0e519c9dadd175f24d9cf7910c

            Download Submit

          • C:\Windows\System\spoolsv.exe
            Filesize

            2.2MB

            MD5

            d00333acb8fc7440187281bd8a3be5d8

            SHA1

            067b61bf9867261ab4920bc4a44a3743ddceabd2

            SHA256

            dafa22efd245a942fcddbd443b76efdddf2b7dcb418ffeffbd6974050d90065f

            SHA512

            54988eea8b2e57343e8d1731495e1d6f45f2b2a4fd58ee1a63ee749a59420462067b5d10bf040c4823291fdd5cf04217e45a87c2141e04424ce2f1cd546a8d21

            Download Submit

          • memory/768-74-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/768-80-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/816-1423-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/964-2111-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/972-1352-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1048-1932-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1248-1547-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1288-1490-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1348-1034-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1420-1933-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1420-897-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1480-1692-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1536-2305-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/1780-1859-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1780-836-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2028-2864-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2268-1942-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2288-1923-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2392-1869-0x0000000000440000-0x0000000000509000-memory.dmp

            Filesize

            804KB

            Download

          • memory/2392-1863-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2396-2479-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2396-2658-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2460-3159-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2468-649-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2468-79-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2600-2290-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2600-2293-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2708-1295-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2756-2166-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2756-2044-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2904-2547-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2984-2493-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2992-38-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2992-0-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2992-31-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2992-32-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3100-1619-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3120-2685-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3120-2683-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3140-2503-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3156-1838-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3156-1996-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3188-2378-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3188-2264-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3212-1760-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3268-2278-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3268-2282-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3276-2313-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3352-2854-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3368-2513-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3480-1182-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3544-1832-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3632-34-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3632-63-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3632-35-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3792-1941-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3820-2100-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3820-2097-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3872-2694-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3872-2696-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3896-1105-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3900-2938-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3900-2934-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3968-2322-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4212-1228-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4296-1839-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4296-711-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4396-948-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4396-1940-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4448-2674-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4448-2773-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4468-3398-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4472-1970-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4548-1927-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4704-2705-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4856-1862-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4928-2091-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4952-1181-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/5104-3303-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/5116-1693-0x0000000000400000-0x00000000005D3000-memory.dmp

            Filesize

            1.8MB

            Download