7a611f7ede6f64d7deafdf2510ea740cf615ab0cd3d709cf17476c43a3b8aaee

Analysis

max time kernel
147s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.msi
Size

18.5MB
MD5

b4a8e2c2930ce08543812fc93d52c623
SHA1

46bd2b41d3f0d3d0ee4edbad3765534b9f8a4aa5
SHA256

7a611f7ede6f64d7deafdf2510ea740cf615ab0cd3d709cf17476c43a3b8aaee
SHA512

a689155826b93302649934648550e8c8a9a9a117cf72959ec153f8d5a443c14190f06a48b8e8ab0041c78e1d14c15a5859805e2eb955b7ac21c94814c33dd491
SSDEEP

393216:4/rBfNTzWDFhDxzDreUUrHhRVR6+U4BttD/HVQ20vngRTJVBaOlVcv+:urBf1WdLetDtR6IttD1QBSB7ry

Score

9^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

SynthFont2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SynthFont2.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

SynthFont2.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Wine	SynthFont2.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow	pid	Process
2	5108	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Windows\SystemTemp\~DF19705CAE0CFA14EA.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF6A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ad3a.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEF1C05C16B70BD3B.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{62CE5C99-B708-4933-B9B9-2FFDE041F5E7}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF014FA38CD1F17989.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF527EC91BC8622A9B.TMP	msiexec.exe
File created	C:\Windows\Installer\e57ad38.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ad38.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

SynthFont2.exe

pid	Process
1080	SynthFont2.exe

Loads dropped DLL 4 IoCs

Processes:

SynthFont2.exe

pid	Process
1080	SynthFont2.exe
1080	SynthFont2.exe
1080	SynthFont2.exe
1080	SynthFont2.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
behavioral2/files/0x001900000002aab5-53.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
5108	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SynthFont2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SynthFont2.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008e4795fcec2d58710000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008e4795fc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008e4795fc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8e4795fc000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008e4795fc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 2 IoCs

Processes:

SynthFont2.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SynthFont2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	SynthFont2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid	Process
2340	msiexec.exe
2340	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	5108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5108	msiexec.exe
Token: SeSecurityPrivilege	2340	msiexec.exe
Token: SeCreateTokenPrivilege	5108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5108	msiexec.exe
Token: SeLockMemoryPrivilege	5108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5108	msiexec.exe
Token: SeMachineAccountPrivilege	5108	msiexec.exe
Token: SeTcbPrivilege	5108	msiexec.exe
Token: SeSecurityPrivilege	5108	msiexec.exe
Token: SeTakeOwnershipPrivilege	5108	msiexec.exe
Token: SeLoadDriverPrivilege	5108	msiexec.exe
Token: SeSystemProfilePrivilege	5108	msiexec.exe
Token: SeSystemtimePrivilege	5108	msiexec.exe
Token: SeProfSingleProcessPrivilege	5108	msiexec.exe
Token: SeIncBasePriorityPrivilege	5108	msiexec.exe
Token: SeCreatePagefilePrivilege	5108	msiexec.exe
Token: SeCreatePermanentPrivilege	5108	msiexec.exe
Token: SeBackupPrivilege	5108	msiexec.exe
Token: SeRestorePrivilege	5108	msiexec.exe
Token: SeShutdownPrivilege	5108	msiexec.exe
Token: SeDebugPrivilege	5108	msiexec.exe
Token: SeAuditPrivilege	5108	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5108	msiexec.exe
Token: SeChangeNotifyPrivilege	5108	msiexec.exe
Token: SeRemoteShutdownPrivilege	5108	msiexec.exe
Token: SeUndockPrivilege	5108	msiexec.exe
Token: SeSyncAgentPrivilege	5108	msiexec.exe
Token: SeEnableDelegationPrivilege	5108	msiexec.exe
Token: SeManageVolumePrivilege	5108	msiexec.exe
Token: SeImpersonatePrivilege	5108	msiexec.exe
Token: SeCreateGlobalPrivilege	5108	msiexec.exe
Token: SeBackupPrivilege	2316	vssvc.exe
Token: SeRestorePrivilege	2316	vssvc.exe
Token: SeAuditPrivilege	2316	vssvc.exe
Token: SeBackupPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exeSynthFont2.exe

pid	Process
5108	msiexec.exe
5108	msiexec.exe
1080	SynthFont2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SynthFont2.exe

pid	Process
1080	SynthFont2.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 2340 wrote to memory of 3564	2340	msiexec.exe	83
PID 2340 wrote to memory of 3564	2340	msiexec.exe	83
PID 2340 wrote to memory of 1080	2340	msiexec.exe	85
PID 2340 wrote to memory of 1080	2340	msiexec.exe	85
PID 2340 wrote to memory of 1080	2340	msiexec.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3564
- C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\SynthFont2.exe
  "C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\SynthFont2.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Identifies Wine through registry keys
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ad39.rbs

Filesize
12KB

MD5
723b7ef8380cbc82d3f975c7cb594c1f

SHA1
0f544f7f13f1ebfbb20677a5c5cf26d320ddc28c

SHA256
e8f803b587df949385fe540d3ba1fd94bcc2c5047c100b8e707f986402638570

SHA512
a78433b92d813a1fb727ef1c6a041e36b31724035e7c8ba2dce183d601eae73930a96d5b1e98b1eeec4416bbf4e2e142a2faf33cc9c50e87d37f297a63379044

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\3DGlue10-32.dll

Filesize
612KB

MD5
642c48d582bd0595fd8ab9bdc9e8a01f

SHA1
277744685ca3d504e5a7f05d1fb208112e8f4932

SHA256
677777a3557c2c25273764073ac6317d2d56249d55747549ce8f91c12f794ab1

SHA512
585d0b8f29c090353f6f8979b377ce1ec2b78bf52f770bde1a4016805bfd89f3f1300d4e5ed57008a2344258a858ba0211b8b7ecaf1cb63c8c0404a4d2210687

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\Plan.dat

Filesize
328KB

MD5
ffcf9875af4edf49030bfec6f4670d67

SHA1
b33e84e793585e25371ecf1a8fc8d0092cc36ab0

SHA256
40422ab8d750122bf3435636d5817c3b0468d0a876b5d569ef34070c42d4c7c1

SHA512
4c7d111285eb2152281e86c9f29002aaf4e0539fc391703d8ba61b86638d6c468f54a13a613cba1ced98198a263f0a5b95c55802df277e0b6976beab9b412758

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\QTSourcePXT.dll

Filesize
1.9MB

MD5
66c4863871eec6dc4822f7af7b4f68cb

SHA1
a412c63c256948277ae442f3c523388284ce55e6

SHA256
b2a81a022b6c221bd48f3160eefe97c66977b61f006b0ea9810aa80e04edccbf

SHA512
a8e9bfb84bf216c5743e1b7fc6476e35848cbff3bb8c0073424419a11c2aad03456ff79b411e2acd83351680f94dac9e74f9ee7aeb77eff2ffa256363f69d710

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\SynthFont.ini

Filesize
22B

MD5
bd43ef5c31b2f00e01b18492e2138391

SHA1
fcacf478671816f918a2f65d69ea7c3eea24bc8f

SHA256
32260f91d0109d9b92d396f7ca14d04e226f1b1186ce711319f2d4d9186ff509

SHA512
8f93f5621e6e24b596573134b907d94c6ce9bd865b63e5f9b83b602995ce71760c877c48f94e5a7f7a5a38607420cd207fbc9cff8485371e866f13399d4a8dea

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\SynthFont2.exe

Filesize
20.1MB

MD5
b9120e1fd2abcb3f70e298a2448a259a

SHA1
70b5b4a180ba6d639ef591ed61b1448228da45f0

SHA256
1f207a4c1c4cf1a3ee335ff529b7253db7d487338f399d94011aaf458f59e9c2

SHA512
2960c1648f859b9a6a01bfc4bab8afa46cb5c9bfd2645680abd65b1eb2ca037d75cdcae3d5214522fa3278fbc961e8e3b5cbbec7a958cbbbb45e9d2b52ae2956

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\report.wav

Filesize
3.6MB

MD5
fe7657fc50fd51ef452b74349956054c

SHA1
fafe06cdb90ee0a02aaf6fe4bfe5940a9f82a9f7

SHA256
4679825db2c4cc577c5f5bd1a04a62a168f4ab7100a1cbb35f5c1be15112d66f

SHA512
b080adce3e294f96db07a1c7f174293f76bcf5286b545f17271768a6e8feaa564c46d2c4744d5b549fe34629db8c22b6c27849514185f0539a5eefce84dcfbce

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\sfArkDLL.dll

Filesize
92KB

MD5
f16146b1c3d8bac544699aece383003a

SHA1
c8c17bccbaf1f36a97bf04773b6a9de70684f55c

SHA256
fc41a2f0716ca592182f8a1a08929a3f63863408fe5ea797ddc592b8ca212881

SHA512
ba3dd381f8f43819457f2bdcf5ae2021b257524edf94758e5f6bb0b3a68170aae9c8591fe8b660c5f6f607c51f8540fc87a3488b3041bbb80200b45cd9d5451f

Download Submit
C:\Users\Admin\AppData\Local\Programs\EasyDuplicateFinder\winplay.dll

Filesize
9.3MB

MD5
b1258a8bf88edc6547c396b1d06edd93

SHA1
e96c28447890cc32deada0af3be6dd3df2d979fc

SHA256
39b2061a1275d4d8e8f56f600a265a10c23eafdb4ca40165b606f8079ce1f8fd

SHA512
62db68625d22d895f27e617a2c1a01e73acf3d74bcc854625b2ccbee15bc274a282d53a36072dd02521ab6ce2e5c87a73b665e0221dde604c5391a0e2ca4587b

Download Submit
C:\Users\Admin\AppData\Roaming\SynthFont\SynthFont.ini

Filesize
85B

MD5
3141452696548f9f0144f6cf158a8b61

SHA1
58d521510a6c754ab3cb540df70c69398af67dfb

SHA256
33601a703bb7bc5277fc4aba18051ad796aa3d5b37775c53b01eecaf2e120aa8

SHA512
d5780dd1076dc7657bf41922267ae627cdfc7d72a0d4bbe0f6b8227aba953ff979e0132f4429175dbf7d12006c74e51d5f60807c01fae4fa3efc1f8ac2af5d08

Download Submit
C:\Users\Admin\AppData\Roaming\SynthFont\SynthFont.ini

Filesize
118B

MD5
6a526ee48e0fa780ca0856e51e741e83

SHA1
864dc8affb5027d833939ca839d6b2006f8e9b38

SHA256
788d78a8c77bc95d57d8b67ea2f06d8cf497db584749d02be91bd143e53ac96a

SHA512
f7eeb31f810c4e80838fe0b50a7f7da54b50b2920369b2ea91a834d38e0421e8a0f4ab966b316449c1c8c7f4b54dd86c1c968aafcbd79260d8492fb7865e6c01

Download Submit
C:\Users\Admin\AppData\Roaming\SynthFont\SynthFont.ini

Filesize
192B

MD5
d103604383f9e0a375cef3256bc049bb

SHA1
026e56871eb6940e1b9607510a98b5bf0722b264

SHA256
c425285214e5215226c7709ea39fda512c58e120d78a8f50f74428933c019ecf

SHA512
4716a76a6ad09ffdc60a64357769f3dd3fc48472d78de4aa3892ac0003dba507cccd9a78ebc98d8aaef98ad48dabf738a3cdc239190971236a3ecc0e3703471d

Download Submit
C:\Windows\Installer\e57ad38.msi

Filesize
18.5MB

MD5
b4a8e2c2930ce08543812fc93d52c623

SHA1
46bd2b41d3f0d3d0ee4edbad3765534b9f8a4aa5

SHA256
7a611f7ede6f64d7deafdf2510ea740cf615ab0cd3d709cf17476c43a3b8aaee

SHA512
a689155826b93302649934648550e8c8a9a9a117cf72959ec153f8d5a443c14190f06a48b8e8ab0041c78e1d14c15a5859805e2eb955b7ac21c94814c33dd491

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
70cb1ea1b749e57b1e0897a91c9e3099

SHA1
71cb5b0efe52103781b86c44d8bac7786648a663

SHA256
1be1cec3585eb7fd678b9eb920bbc06e0b01957191e8a852b8feb19e30a0ce46

SHA512
8028e34e44a9a210447516454f6bbd65399a90c023c03541292befd1c559644b0a115cc96bc740818128538acb462b4ae32c9895e4b957f2f2156a4cb40aff5d

Download Submit
\??\Volume{fc95478e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5f21b04d-e832-4865-800d-5624af06a9b2}_OnDiskSnapshotProp

Filesize
6KB

MD5
dff10c5b801034af93c905441c899cc6

SHA1
42ed4ce4b83f85f897d99f141422ab0b33b82036

SHA256
f4bc6f55486e61e6c2a7db76f76ddead2497edc15451acd34506fe0947b69083

SHA512
58960f1ee4d4a54c3087e5002a01529d3a8d74db87d38411704819eaad37ef015f4a083a28f3ebe7f2e70652c78cf8cd566c7fa1f321600726786eefa66a190d

Download Submit
memory/1080-387-0x0000000008FE0000-0x0000000009139000-memory.dmp

Filesize
1.3MB

Download
memory/1080-388-0x0000000008FE0000-0x0000000009139000-memory.dmp

Filesize
1.3MB

Download
memory/1080-386-0x0000000008FE0000-0x0000000009139000-memory.dmp

Filesize
1.3MB

Download
memory/1080-71-0x0000000008FE0000-0x0000000009139000-memory.dmp

Filesize
1.3MB

Download
memory/1080-64-0x00000000726B0000-0x0000000072AF4000-memory.dmp

Filesize
4.3MB

Download
memory/1080-716-0x00000000726B0000-0x0000000072AF4000-memory.dmp

Filesize
4.3MB

Download
memory/1080-715-0x00000000005B0000-0x0000000002548000-memory.dmp

Filesize
31.6MB

Download
memory/1080-717-0x00000000005B0000-0x0000000002548000-memory.dmp

Filesize
31.6MB

Download
memory/1080-721-0x00000000005B0000-0x0000000002548000-memory.dmp

Filesize
31.6MB

Download
memory/1080-726-0x00000000005B0000-0x0000000002548000-memory.dmp

Filesize
31.6MB

Download
memory/1080-728-0x00000000005B0000-0x0000000002548000-memory.dmp

Filesize
31.6MB

Download
memory/1080-732-0x0000000008FE0000-0x0000000009139000-memory.dmp

Filesize
1.3MB

Download
memory/1080-731-0x0000000008FE0000-0x0000000009139000-memory.dmp

Filesize
1.3MB

Download
memory/1080-735-0x00000000005B0000-0x0000000002548000-memory.dmp

Filesize
31.6MB

Download
memory/1080-743-0x00000000726B0000-0x0000000072AF4000-memory.dmp

Filesize
4.3MB

Download