pony | d99870981586e21d1bff1ada990a126c854674d9fc2baef87441a5e94a9b73de

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff0452c618fb5ff3b2acf804d56e499f_JaffaCakes118.msi
Size

1.3MB
MD5

ff0452c618fb5ff3b2acf804d56e499f
SHA1

140cc35c62afb08f46c4942003083e89e6bc21e4
SHA256

d99870981586e21d1bff1ada990a126c854674d9fc2baef87441a5e94a9b73de
SHA512

42a6cd4e5a91c5976b58a7076b824c4728e5bbd3c988c9ed1e6ac099c5d597f75fba87fc2d0f06d22a6dcd21edd9eebe6fd9d7d737b3d5fb2167db8ea08e4bb5
SSDEEP

12288:dE5vhW6Rzx/LA/A8RNwlAiP6CEhH1IfkGdl8o6h69n02e2ZP:dE3Rzx/L2A8R6lAiP62f6c9n0GZP

Score

10^/10

pony collection credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

pony

http://onlygoodm.com/ac9/gate.php

Attributes

payload_url
http://onlygoodm.com/ac9/ac9.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	EKSPEDITREN.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	EKSPEDITREN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Joergen5 = "wscript \"C:\\Users\\Admin\\ANTAENDER\\EKSPEDITREN.vbs\""	EKSPEDITREN.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	MSIBFA7.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	EKSPEDITREN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57be6e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFA7.tmp	msiexec.exe
File opened for modification	C:\Windows\win.ini	MSIBFA7.tmp
File created	C:\Windows\Installer\e57be6e.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF39.tmp	msiexec.exe
File opened for modification	C:\Windows\win.ini	MSIBFA7.tmp
File opened for modification	C:\Windows\win.ini	EKSPEDITREN.exe
File opened for modification	C:\Windows\win.ini	EKSPEDITREN.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
448	MSIBFA7.tmp
4612	MSIBFA7.tmp
3224	EKSPEDITREN.exe
4932	EKSPEDITREN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4988	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIBFA7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIBFA7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EKSPEDITREN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EKSPEDITREN.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005d98d1691ddd1b040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005d98d1690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005d98d169000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5d98d169000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005d98d16900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4716	msiexec.exe
4716	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4988	msiexec.exe
Token: SeSecurityPrivilege	4716	msiexec.exe
Token: SeCreateTokenPrivilege	4988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4988	msiexec.exe
Token: SeLockMemoryPrivilege	4988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4988	msiexec.exe
Token: SeMachineAccountPrivilege	4988	msiexec.exe
Token: SeTcbPrivilege	4988	msiexec.exe
Token: SeSecurityPrivilege	4988	msiexec.exe
Token: SeTakeOwnershipPrivilege	4988	msiexec.exe
Token: SeLoadDriverPrivilege	4988	msiexec.exe
Token: SeSystemProfilePrivilege	4988	msiexec.exe
Token: SeSystemtimePrivilege	4988	msiexec.exe
Token: SeProfSingleProcessPrivilege	4988	msiexec.exe
Token: SeIncBasePriorityPrivilege	4988	msiexec.exe
Token: SeCreatePagefilePrivilege	4988	msiexec.exe
Token: SeCreatePermanentPrivilege	4988	msiexec.exe
Token: SeBackupPrivilege	4988	msiexec.exe
Token: SeRestorePrivilege	4988	msiexec.exe
Token: SeShutdownPrivilege	4988	msiexec.exe
Token: SeDebugPrivilege	4988	msiexec.exe
Token: SeAuditPrivilege	4988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4988	msiexec.exe
Token: SeChangeNotifyPrivilege	4988	msiexec.exe
Token: SeRemoteShutdownPrivilege	4988	msiexec.exe
Token: SeUndockPrivilege	4988	msiexec.exe
Token: SeSyncAgentPrivilege	4988	msiexec.exe
Token: SeEnableDelegationPrivilege	4988	msiexec.exe
Token: SeManageVolumePrivilege	4988	msiexec.exe
Token: SeImpersonatePrivilege	4988	msiexec.exe
Token: SeCreateGlobalPrivilege	4988	msiexec.exe
Token: SeBackupPrivilege	3732	vssvc.exe
Token: SeRestorePrivilege	3732	vssvc.exe
Token: SeAuditPrivilege	3732	vssvc.exe
Token: SeBackupPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeBackupPrivilege	2448	srtasks.exe
Token: SeRestorePrivilege	2448	srtasks.exe
Token: SeSecurityPrivilege	2448	srtasks.exe
Token: SeTakeOwnershipPrivilege	2448	srtasks.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeBackupPrivilege	2448	srtasks.exe
Token: SeRestorePrivilege	2448	srtasks.exe
Token: SeSecurityPrivilege	2448	srtasks.exe
Token: SeTakeOwnershipPrivilege	2448	srtasks.exe
Token: SeImpersonatePrivilege	4932	EKSPEDITREN.exe
Token: SeTcbPrivilege	4932	EKSPEDITREN.exe
Token: SeChangeNotifyPrivilege	4932	EKSPEDITREN.exe
Token: SeCreateTokenPrivilege	4932	EKSPEDITREN.exe
Token: SeBackupPrivilege	4932	EKSPEDITREN.exe
Token: SeRestorePrivilege	4932	EKSPEDITREN.exe
Token: SeIncreaseQuotaPrivilege	4932	EKSPEDITREN.exe
Token: SeAssignPrimaryTokenPrivilege	4932	EKSPEDITREN.exe
Token: SeImpersonatePrivilege	4932	EKSPEDITREN.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4988	msiexec.exe
4988	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
448	MSIBFA7.tmp
4612	MSIBFA7.tmp
3224	EKSPEDITREN.exe
4932	EKSPEDITREN.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 2448	4716	msiexec.exe	99
PID 4716 wrote to memory of 2448	4716	msiexec.exe	99
PID 4716 wrote to memory of 448	4716	msiexec.exe	101
PID 4716 wrote to memory of 448	4716	msiexec.exe	101
PID 4716 wrote to memory of 448	4716	msiexec.exe	101
PID 448 wrote to memory of 4612	448	MSIBFA7.tmp	102
PID 448 wrote to memory of 4612	448	MSIBFA7.tmp	102
PID 448 wrote to memory of 4612	448	MSIBFA7.tmp	102
PID 4612 wrote to memory of 3224	4612	MSIBFA7.tmp	103
PID 4612 wrote to memory of 3224	4612	MSIBFA7.tmp	103
PID 4612 wrote to memory of 3224	4612	MSIBFA7.tmp	103
PID 3224 wrote to memory of 4932	3224	EKSPEDITREN.exe	104
PID 3224 wrote to memory of 4932	3224	EKSPEDITREN.exe	104
PID 3224 wrote to memory of 4932	3224	EKSPEDITREN.exe	104
PID 4932 wrote to memory of 3548	4932	EKSPEDITREN.exe	105
PID 4932 wrote to memory of 3548	4932	EKSPEDITREN.exe	105
PID 4932 wrote to memory of 3548	4932	EKSPEDITREN.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	EKSPEDITREN.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ff0452c618fb5ff3b2acf804d56e499f_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\Installer\MSIBFA7.tmp
  "C:\Windows\Installer\MSIBFA7.tmp"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\Installer\MSIBFA7.tmp
    "C:\Windows\Installer\MSIBFA7.tmp"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\ANTAENDER\EKSPEDITREN.exe
      "C:\Users\Admin\ANTAENDER\EKSPEDITREN.exe"
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Users\Admin\ANTAENDER\EKSPEDITREN.exe
        
        "C:\Users\Admin\ANTAENDER\EKSPEDITREN.exe"
        5⤵
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Checks computer location settings
        Drops file in Windows directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        outlook_win_path
        
        PID:4932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240635421.bat" "C:\Users\Admin\ANTAENDER\EKSPEDITREN.exe" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57be71.rbs

Filesize
663B

MD5
9d7df1d88cf45a661fd2dccf1f95d71e

SHA1
eb18a6d022a8feeb8a9329a593542546813ca971

SHA256
990cbeb0010e3b7222ce365bbf26aad907670afdca4f3fd1cfa9dee1078e8d3b

SHA512
854647c81ac79e60d62b956917f64a5fff119aac2367bb437a7ff83d46e4734429b189ac311fe8c2cfa627cf966ea51908027736cb4c2ad2ea70ea017749bb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\240635421.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Windows\Installer\MSIBFA7.tmp

Filesize
1.3MB

MD5
eeca6e9ee6ab50d3dc9876fcd3da6749

SHA1
65c98a39f8f28b7d6a1280eb98574840a7622aa3

SHA256
cc376b3d8f9dbc742d8f3dcb36b61e4e9fff62b6351efa580a6de92d64c38b5c

SHA512
06e9dc1c7c8233875acea4ea57512a8766c187251ad04f06d629690315d6890ae9018e1f393a890cd99777ccce274089328490b8d224f42569b65f466994a27a

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
e61e0b4426bd222f697e8be58d76346d

SHA1
9fdb4ddb275ba2c273df04f0ce1c593bc27d2447

SHA256
ea97f84d0b1dcb592793a28d6ab909032aad3e645b86c277307d11531a4b2bc1

SHA512
e3bcb5f5cc1566196490a5ea3b738f97fed0ec235ab05183fb001fc6e72a248c719d08e522a39104a40b3605c44e3bd89de84679b77c87cb2afc695c1ee89df9

Download Submit
\??\Volume{69d1985d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4953fd69-bb59-4557-b8a0-6347627d30ea}_OnDiskSnapshotProp

Filesize
6KB

MD5
e897a62577cbcaf8570717022c79df18

SHA1
24a3afbb6acf1ffa971b498f95f236c0550f5de6

SHA256
ba69757603d475303086e69cb3a980f5170de491dee32a55f596611e9b9e0acb

SHA512
46476a9ace6013b7937601191e58dfd7d7f2bdc3f4bb73cf50b5aa24f87fbaba007edd641bbd1c1f87162acaa3eda3b813ce81e3913cbbf305b4c19283208c55

Download Submit
memory/4932-55-0x0000000002230000-0x0000000002237000-memory.dmp

Filesize
28KB

Download
memory/4932-53-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4932-62-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download