Overview

overview

10

Static

static

3

f0f558d279...b6.exe

windows7-x64

10

f0f558d279...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 04:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0f558d279b1bc6708a1e95e8aa611c2824ee18be18e9676a236130d649e6db6.exe

  • Size

    1.8MB

  • MD5

    d1c01e3ece918fce1cee14204b9a91af

  • SHA1

    888e49d8716e5d283c3a16a2cdaf37a9c09c098e

  • SHA256

    f0f558d279b1bc6708a1e95e8aa611c2824ee18be18e9676a236130d649e6db6

  • SHA512

    1263bad7fd1911d6689734477bd2b90b718d4496c69c1ef173e411443929d40317e798cdf1370446b7b6bd14d269ef8edbe197af4f2590f30fac45fdb0e8bd6e

  • SSDEEP

    49152:IBJTl4fxzc8TMk++HUwh42sDnaeQdbJU7Z:yj4hcEM54UG43naZs

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0f558d279b1bc6708a1e95e8aa611c2824ee18be18e9676a236130d649e6db6.exe
    "C:\Users\Admin\AppData\Local\Temp\f0f558d279b1bc6708a1e95e8aa611c2824ee18be18e9676a236130d649e6db6.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontwin\rjeG9jpaqkoGYbXQiCixJVHPtViWeFHmB5.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\fontwin\SCfgtLybPKjlpPh39WWFnP7oUkboktfnsRDnMjyFOdFfzldEyFoe.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\fontwin\MsServerHost.exe
          "C:\fontwin/MsServerHost.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3ee1ekh\a3ee1ekh.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1956
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9000.tmp" "c:\Windows\System32\CSCD4BB004373324F4B83782A62BB471BF4.TMP"
              6⤵
                PID:1932
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:892
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2844
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:848
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontwin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1588
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1564
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1680
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1560
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:856
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2668
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1260
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1888
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1380
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\services.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2300
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\dllhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1360
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\conhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1820
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\services.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:616
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\Idle.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:788
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\MsServerHost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:776
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ynFfJcXw4B.bat"
              5⤵
                PID:704
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  6⤵
                    PID:1060
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    6⤵
                      PID:2944
                    • C:\Users\Public\Favorites\Idle.exe
                      "C:\Users\Public\Favorites\Idle.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:444
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:296
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1164
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:544
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2512
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:580
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2400
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2296
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 13 /tr "'C:\fontwin\MsServerHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1912
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1520
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 8 /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1228

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RES9000.tmp
            Filesize

            1KB

            MD5

            e75b10692dd635b6591ac36208cf48e6

            SHA1

            2265723f3161c75448e06f14cc191334a4bf8845

            SHA256

            ab7fbff7c565157da90e8f63f318a03f508d0a738eca8162802296cf33f94bc2

            SHA512

            60363090717c8ec2336d973e911ac623640fa9b2370cda951d8b93bbf8b341e87ec8b75cdaac90e1b0ced71f0fc3842fcddc3f01be0ca82d31d41121fbc7cac0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ynFfJcXw4B.bat
            Filesize

            210B

            MD5

            d36a90ec5cecba310cf8865293b31740

            SHA1

            e87e6253acfe0a73859cb320964b19e12f0e0050

            SHA256

            e21c06afd5a75dac7fa00a457aba7fdf20252ee5d9847a1e8e0ece65dca032c4

            SHA512

            aa124b7a806716fad58e7d308355fa9bf095783218900172aead75ad35bd7d8375e1f707bf420b9c69dbfbd0097ae7a41c08d0df4971b9216c4bf79b38f91ee6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            5e215b4b2dbabc4c12128295678c0703

            SHA1

            8b6d9c0f22454ac2505cc97ac2d1e59de5376e5d

            SHA256

            85f09803195d3343514a455d99b78da6d8f9b2a57d98966f13c5775b97acdfad

            SHA512

            f7f9cd4bbad6beca69582d1c8131242fea8f9eea020746461afbead37980ea4c411d337078d367de2ce07aab19cc70e70bb7f6d7f07a1b1a1d56bbdc2cf2445b

            Download Submit

          • C:\fontwin\SCfgtLybPKjlpPh39WWFnP7oUkboktfnsRDnMjyFOdFfzldEyFoe.bat
            Filesize

            79B

            MD5

            06def1a66d18e2cb54c3feb3e338e852

            SHA1

            deea78d6baf993c87a4be23895c0ac97be3a58e5

            SHA256

            050561c2a9a611410c1194e5dea95982410c21c13e6a1b55d0df5c19fb4d3d2f

            SHA512

            a3769d9af6fdf50c8a86707cf6ced77673e7c7d0471c8102777adf5a556e9ee1598941596fd6acd198c84e7900205a67503209e95e9a4f8ea7f139014e8ba93f

            Download Submit

          • C:\fontwin\rjeG9jpaqkoGYbXQiCixJVHPtViWeFHmB5.vbe
            Filesize

            238B

            MD5

            c40860c6355fad694d0759ae23dd3439

            SHA1

            eb61967cd1502160c1e2e219690cf0b7f91cc94e

            SHA256

            b4c7379240810d664b2bdd60e093b4203134eff9c42de2720b0cd287af1d74ca

            SHA512

            ca5323cf17932235cce0c83bc82efa25dd88c0c181b1cddc82149690531d26a0c948ec4d33435ccdf95cc1884efe163703df878ecc30ccc90ecd85083d4d4dfc

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\a3ee1ekh\a3ee1ekh.0.cs
            Filesize

            383B

            MD5

            81a9d945a6dcb28fc4a87e4dc0bbc377

            SHA1

            a357b641f8a38537c72ffd1c5a4510772e2b4946

            SHA256

            f4f5c6853ec6909d8c6b49a93ef55f6b36c3baadfcb89920d5d903ee72bbb93d

            SHA512

            c2ec41b3dc5482b3ce5276524092e47fc7f40661bf85093f19faf9479e12f6e1878eb1548a837f6870948580a6d457074e6d4d84d28ee9ff130ee0ec1cb9c57e

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\a3ee1ekh\a3ee1ekh.cmdline
            Filesize

            235B

            MD5

            7cec07420c27db6898fc54215df6b5eb

            SHA1

            77cabea917974e90b95cd096532af3bed5f2a2e1

            SHA256

            b3351d9e5a0b61b594f54c798681db5d82af1ea8c506796c4c84a6158129fe7d

            SHA512

            6e8b18ae263cfc15f8f2aa7c998a1b6d8cd36cc3f317dbda2d66f5e2d415d10fd2df54b04643343f5f49a7c6565bad198708d204ad274b128eec4ebc0dd8cbb5

            Download Submit

          • \??\c:\Windows\System32\CSCD4BB004373324F4B83782A62BB471BF4.TMP
            Filesize

            1KB

            MD5

            078586b266e519b5c113064d7a0bf45c

            SHA1

            a9395c0ef35add5c75591ebb94c85c1f33f408bf

            SHA256

            ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

            SHA512

            5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

            Download Submit

          • \fontwin\MsServerHost.exe
            Filesize

            1.9MB

            MD5

            6a720688eb9d2f5c2cfd4761f969063b

            SHA1

            5ee46b7fd8f41c79e3df31feede20c518307d52a

            SHA256

            7be4d5853d99295ba22450e935a9ab99861cfbe5ecc56dab500161c5fa6a8d8b

            SHA512

            8a9bee8056817fdd26f41202ceae21c4dd720b20de699f28ec6dbbf70ad6566f4ed394d34cbe640374cf970ccb4f4746fe416f2c7bdec19864305c9878d489c0

            Download Submit

          • memory/444-155-0x0000000000DF0000-0x0000000000FE8000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/892-59-0x000000001B560000-0x000000001B842000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/892-65-0x0000000002810000-0x0000000002818000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2580-17-0x0000000000B60000-0x0000000000B7C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2580-27-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2580-25-0x0000000000340000-0x000000000034E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2580-23-0x0000000000330000-0x000000000033C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2580-21-0x0000000000320000-0x000000000032E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2580-19-0x0000000000B80000-0x0000000000B98000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2580-15-0x0000000000290000-0x000000000029E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2580-13-0x0000000000D00000-0x0000000000EF8000-memory.dmp

            Filesize

            2.0MB

            Download