Analysis Overview
SHA256
40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779
Threat Level: Known bad
The file 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779 was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Creates new service(s)
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
VMProtect packed file
Deletes itself
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-13 07:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 07:15
Reported
2024-05-13 07:18
Platform
win7-20240221-en
Max time kernel
143s
Max time network
120s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Creates new service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\systam33\w.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\systam33\csrss.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\systam33\csrss.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\systam33\svchost.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\chrome\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\systam33\svchost.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Fonts\systam33\w.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Fonts\chrome\chrome.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
"C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe"
C:\Windows\Fonts\systam33\w.exe
"C:\Windows\Fonts\systam33\w.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Fonts\systam33\w.bat" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~1046.tmp.bat"
C:\Windows\SysWOW64\mode.com
mode con: cols=16 lines=2
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~10F2.tmp.bat"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Windows\SysWOW64\sc.exe
sc create UmRdpSerivce binPath= C:\Windows\Fonts\systam33\svchost.exe start= auto
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\Fonts\systam33\csrss.exe
csrss set UmRdpSerivce DisplayName "Remote Desktop Services UserMode Port Redriector"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\Fonts\systam33\csrss.exe
csrss set UmRdpSerivce Description "Allows the redirection of Printers/Drives/Ports for RDP connectoins"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\sc.exe
sc start UmRdpSerivce
C:\Windows\Fonts\systam33\svchost.exe
C:\Windows\Fonts\systam33\svchost.exe
C:\Windows\Fonts\chrome\chrome.exe
C:\Windows\Fonts\chrome\chrome.exe
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\regini.exe
regini 1.ini
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | auto.skypool.xyz | udp |
| HK | 18.166.203.32:6666 | auto.skypool.xyz | tcp |
Files
\Windows\Fonts\systam33\w.exe
| MD5 | e18bb32fccbca160f1e64777065a7f9c |
| SHA1 | c94a7c7f6e74bbd25e6e3a2f20d1888de1d73c39 |
| SHA256 | 8d3e6f50c5ec01cff2af94c635942daf3a55a43453639755acc1b5d27c51b6ab |
| SHA512 | 8c4ec28de9443ae439b256afa108902ecf75a091d177be03abe059e75db597c3451917fd8f37f48e3024be5521678781a7029fce71ac367d1b8491a08ee3ca05 |
C:\Windows\Fonts\systam33\w.bat
| MD5 | 48b7fb879283096712fca22f385750f1 |
| SHA1 | 7ba4395c9a84f6df15fb38cbc325fed38ee3a75a |
| SHA256 | d6f5b894cfb148c85f5176ddb7426d82c742769c38a0c5be29b93a1b9fdfce3b |
| SHA512 | fe3849c9139721978781bce2bb3fa97270f61df890ed79b6ecf4d7499351f12d474341dbcb89a9afb15bf54e081b79f06e34667832afee1377ec719a6326473b |
C:\Users\Admin\AppData\Local\Temp\HZ~1046.tmp.bat
| MD5 | 515c5ab1bba53eb7acbf281eba8374e0 |
| SHA1 | 6765a6f12b36bdd914aab7b093b8738d7288d4e0 |
| SHA256 | a48bcdb7a59fce333ddcd1e33e6547df049231ad42f032440aaa51075f9ac943 |
| SHA512 | cc7416c518866fa1969f22ccdcae7658ab3c6a6de424829565937b41f455338d7e13c401131ff2611e8d8af4d5c26994ed6a81896f62dd2c995cde8824045ffa |
C:\Users\Admin\AppData\Local\Temp\HZ~10F2.tmp.bat
| MD5 | 9e8e1faaaf54789725159a1e527e8a15 |
| SHA1 | edec5b0de9a98b93106d8e951b323007d6b62726 |
| SHA256 | 4150d0db0898ea43c5ac912fa94dc8567783755d3252bd28e3d40c5de4758851 |
| SHA512 | 723c6751215188cfd81d57d873522b56724a0a6c7fdfe38c730a648a43b98db024bcd482de224b5d4201188f91d264bb4dacc653fdea2d1a3f0a8dc11e979b81 |
\Windows\Fonts\systam33\csrss.exe
| MD5 | b80172424d378e595b8ed4254ea7a492 |
| SHA1 | 56d2049d50c38ff3e0fda94f0af5344c253abe35 |
| SHA256 | c67b6e6bde919aec414bc2176a77d6082758636e8d60d2ca83198a10d4cec9c7 |
| SHA512 | 7de17c82076248e253335319970010b73e87ecb5c3ed00387a9d353edc31afbfcc58f09afbe3edacc1cef8b637d4d272cbf13d857135e7fbb364c0f3a7a9dd85 |
C:\Windows\Fonts\systam33\svchost.exe
| MD5 | cf7341a71cb0117e651fd1b4dc414657 |
| SHA1 | b34b4aa0f90fa9e02d4bd3fc64644b07d27876f4 |
| SHA256 | d55e4e16c8c60095c9897bea7db8fb71bf099008a3bc942a6062ffd5c0f05b27 |
| SHA512 | a161caafacaea87caada40b52753512ca83242e3c5a129793686843fdecb667e0fa5b92a384c260a7f11f38009fa787a39e8487628fb52bb81c1dd813c293859 |
memory/2132-42-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Windows\Fonts\systam33\svchost.ini
| MD5 | 62eb1b85bc112779e5bf0d380e92476d |
| SHA1 | e32ecf8b742db94681b9dc6ad6bc7da966699fb2 |
| SHA256 | 49fa9854a9283cf2f82d1a2e9be542ee438069542f3ab8acbb93e130968df463 |
| SHA512 | 3a44c33a3793b29f0d060265e1e448b228b49f404a6dec88222798606da57063a7cf6f03bcc0aa93bd9c4e05d4b1e70da136a1eac901dd6e727837cfe4607df3 |
memory/2132-43-0x0000000000400000-0x000000000055E000-memory.dmp
\Windows\Fonts\chrome\chrome.exe
| MD5 | 6b592d1cceaf329c68acaff75fb80be2 |
| SHA1 | ebf5f792c4672973d366b14715b828e9e6e18dac |
| SHA256 | f6be8784ea31ee34b36efe2cb5d68bfec8fa33ab1a550c6fccb63cf469fe1208 |
| SHA512 | 4d32d48c29487eea40e3decfe9cc05e40c356df46eca51ac4ccef0bbb31abfb441f592b3bbd491ef5748865637f4420ebfbb76ab5e3df221148e8de8ba8f5138 |
memory/2472-52-0x00000000000F0000-0x0000000000110000-memory.dmp
C:\Windows\Fonts\chrome\config.json
| MD5 | 3a2058068bc4a85ecd8edb7a7ebd3b09 |
| SHA1 | 6f3ee264746612708e6cb1edd5b1e998bb9cfd5e |
| SHA256 | f332695c2d7a40f634b93befbb479d854934cdf7d09bac8450382ea94c971239 |
| SHA512 | 39e18d39522a2db7e0c9db438e51901810efa20fb3d9125467e4025fff012024decf2601d2d9731b619d5f189715fcafff07f751c9e579fcfee3394897f5e3d3 |
C:\Windows\Fonts\systam33\1.ini
| MD5 | 792c1d6adbc2d208c00b35e55d1d98d6 |
| SHA1 | dd15327dd92517b395d0873f1655e60097455a29 |
| SHA256 | f093e254d918363e7f1e61b1f3b76692395f96d124fae1b77cb791e3a1a286bd |
| SHA512 | c1ccaef5f5ff78a613d2dd1271af4427ad94797d3f9bf26f5a30637376435dfd7a51cc23844dc9ac6553b43775507d3b2def8b867f1a5305feb1ad0c4bfe1801 |
memory/2132-56-0x0000000000400000-0x000000000055E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-13 07:15
Reported
2024-05-13 07:18
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
100s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Creates new service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\Fonts\systam33\w.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\systam33\w.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\systam33\csrss.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\systam33\csrss.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\systam33\svchost.exe | N/A |
| N/A | N/A | C:\Windows\Fonts\chrome\chrome.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Fonts\systam33\w.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Fonts\chrome\chrome.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
"C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe"
C:\Windows\Fonts\systam33\w.exe
"C:\Windows\Fonts\systam33\w.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systam33\w.bat" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~44F8.tmp.bat"
C:\Windows\SysWOW64\mode.com
mode con: cols=16 lines=2
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~46CD.tmp.bat"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Windows\SysWOW64\sc.exe
sc create UmRdpSerivce binPath= C:\Windows\Fonts\systam33\svchost.exe start= auto
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\Fonts\systam33\csrss.exe
csrss set UmRdpSerivce DisplayName "Remote Desktop Services UserMode Port Redriector"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\Fonts\systam33\csrss.exe
csrss set UmRdpSerivce Description "Allows the redirection of Printers/Drives/Ports for RDP connectoins"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\sc.exe
sc start UmRdpSerivce
C:\Windows\Fonts\systam33\svchost.exe
C:\Windows\Fonts\systam33\svchost.exe
C:\Windows\Fonts\chrome\chrome.exe
C:\Windows\Fonts\chrome\chrome.exe
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\regini.exe
regini 1.ini
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
C:\Windows\Fonts\systam33\w.exe
| MD5 | e18bb32fccbca160f1e64777065a7f9c |
| SHA1 | c94a7c7f6e74bbd25e6e3a2f20d1888de1d73c39 |
| SHA256 | 8d3e6f50c5ec01cff2af94c635942daf3a55a43453639755acc1b5d27c51b6ab |
| SHA512 | 8c4ec28de9443ae439b256afa108902ecf75a091d177be03abe059e75db597c3451917fd8f37f48e3024be5521678781a7029fce71ac367d1b8491a08ee3ca05 |
C:\Windows\Fonts\systam33\w.bat
| MD5 | 48b7fb879283096712fca22f385750f1 |
| SHA1 | 7ba4395c9a84f6df15fb38cbc325fed38ee3a75a |
| SHA256 | d6f5b894cfb148c85f5176ddb7426d82c742769c38a0c5be29b93a1b9fdfce3b |
| SHA512 | fe3849c9139721978781bce2bb3fa97270f61df890ed79b6ecf4d7499351f12d474341dbcb89a9afb15bf54e081b79f06e34667832afee1377ec719a6326473b |
C:\Users\Admin\AppData\Local\Temp\HZ~44F8.tmp.bat
| MD5 | 515c5ab1bba53eb7acbf281eba8374e0 |
| SHA1 | 6765a6f12b36bdd914aab7b093b8738d7288d4e0 |
| SHA256 | a48bcdb7a59fce333ddcd1e33e6547df049231ad42f032440aaa51075f9ac943 |
| SHA512 | cc7416c518866fa1969f22ccdcae7658ab3c6a6de424829565937b41f455338d7e13c401131ff2611e8d8af4d5c26994ed6a81896f62dd2c995cde8824045ffa |
C:\Users\Admin\AppData\Local\Temp\HZ~46CD.tmp.bat
| MD5 | 9e8e1faaaf54789725159a1e527e8a15 |
| SHA1 | edec5b0de9a98b93106d8e951b323007d6b62726 |
| SHA256 | 4150d0db0898ea43c5ac912fa94dc8567783755d3252bd28e3d40c5de4758851 |
| SHA512 | 723c6751215188cfd81d57d873522b56724a0a6c7fdfe38c730a648a43b98db024bcd482de224b5d4201188f91d264bb4dacc653fdea2d1a3f0a8dc11e979b81 |
C:\Windows\Fonts\systam33\csrss.exe
| MD5 | b80172424d378e595b8ed4254ea7a492 |
| SHA1 | 56d2049d50c38ff3e0fda94f0af5344c253abe35 |
| SHA256 | c67b6e6bde919aec414bc2176a77d6082758636e8d60d2ca83198a10d4cec9c7 |
| SHA512 | 7de17c82076248e253335319970010b73e87ecb5c3ed00387a9d353edc31afbfcc58f09afbe3edacc1cef8b637d4d272cbf13d857135e7fbb364c0f3a7a9dd85 |
C:\Windows\Fonts\systam33\svchost.exe
| MD5 | cf7341a71cb0117e651fd1b4dc414657 |
| SHA1 | b34b4aa0f90fa9e02d4bd3fc64644b07d27876f4 |
| SHA256 | d55e4e16c8c60095c9897bea7db8fb71bf099008a3bc942a6062ffd5c0f05b27 |
| SHA512 | a161caafacaea87caada40b52753512ca83242e3c5a129793686843fdecb667e0fa5b92a384c260a7f11f38009fa787a39e8487628fb52bb81c1dd813c293859 |
memory/4592-41-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Windows\Fonts\systam33\svchost.ini
| MD5 | 62eb1b85bc112779e5bf0d380e92476d |
| SHA1 | e32ecf8b742db94681b9dc6ad6bc7da966699fb2 |
| SHA256 | 49fa9854a9283cf2f82d1a2e9be542ee438069542f3ab8acbb93e130968df463 |
| SHA512 | 3a44c33a3793b29f0d060265e1e448b228b49f404a6dec88222798606da57063a7cf6f03bcc0aa93bd9c4e05d4b1e70da136a1eac901dd6e727837cfe4607df3 |
memory/4592-42-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Windows\Fonts\chrome\chrome.exe
| MD5 | 6b592d1cceaf329c68acaff75fb80be2 |
| SHA1 | ebf5f792c4672973d366b14715b828e9e6e18dac |
| SHA256 | f6be8784ea31ee34b36efe2cb5d68bfec8fa33ab1a550c6fccb63cf469fe1208 |
| SHA512 | 4d32d48c29487eea40e3decfe9cc05e40c356df46eca51ac4ccef0bbb31abfb441f592b3bbd491ef5748865637f4420ebfbb76ab5e3df221148e8de8ba8f5138 |
memory/3128-51-0x0000022E14D60000-0x0000022E14D80000-memory.dmp
C:\Windows\Fonts\chrome\config.json
| MD5 | 3a2058068bc4a85ecd8edb7a7ebd3b09 |
| SHA1 | 6f3ee264746612708e6cb1edd5b1e998bb9cfd5e |
| SHA256 | f332695c2d7a40f634b93befbb479d854934cdf7d09bac8450382ea94c971239 |
| SHA512 | 39e18d39522a2db7e0c9db438e51901810efa20fb3d9125467e4025fff012024decf2601d2d9731b619d5f189715fcafff07f751c9e579fcfee3394897f5e3d3 |
C:\Windows\Fonts\systam33\1.ini
| MD5 | 792c1d6adbc2d208c00b35e55d1d98d6 |
| SHA1 | dd15327dd92517b395d0873f1655e60097455a29 |
| SHA256 | f093e254d918363e7f1e61b1f3b76692395f96d124fae1b77cb791e3a1a286bd |
| SHA512 | c1ccaef5f5ff78a613d2dd1271af4427ad94797d3f9bf26f5a30637376435dfd7a51cc23844dc9ac6553b43775507d3b2def8b867f1a5305feb1ad0c4bfe1801 |
memory/4592-55-0x0000000000400000-0x000000000055E000-memory.dmp