Overview

overview

10

Static

static

10

0842c1cd11...cc.exe

windows7-x64

10

0842c1cd11...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2024, 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe

  • Size

    1.9MB

  • MD5

    03fd9c7c9d838f3e7d4a2e42c317b6be

  • SHA1

    66976024383f4557cd20089d9621c63cbe69ef1f

  • SHA256

    0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc

  • SHA512

    177a7f955a5060e96279262cf2fc6a34a59535c93412b1afc8f6c51c7adad1548906d25413f6b43e944154816aba98964da203f42f71192c2ef8eaaac6c40654

  • SSDEEP

    49152:tbA3D8ThjyY3Bh5m7Uqbs3Ed/v1/hTTBxjkndCV/WY:tbpThjyY3soqbsUX1/t3jknYV/F

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
    persistence
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe
    "C:\Users\Admin\AppData\Local\Temp\0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\msref\16OqJ.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\msref\WEr8EqInsZG3PEmvxO6Zoo.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\msref\fontreviewHost.exe
          "C:\msref\fontreviewHost.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\winlogon.exe
            "C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\winlogon.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2576
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\msref\file.vbs"
      2⤵
        PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1600
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Application Data\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Application Data\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontreviewHostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\fontreviewHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontreviewHostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\fontreviewHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Pictures\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Pictures\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontreviewHost" /sc ONLOGON /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\fontreviewHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontreviewHost" /sc ONLOGON /tr "'C:\Users\Admin\fontreviewHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontreviewHostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\fontreviewHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontreviewHostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\fontreviewHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\msref\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\msref\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\msref\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\en-US\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\en-US\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2096
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\winlogon.exe
      Filesize

      1.2MB

      MD5

      8b4decec6f29a0785c5fd6c191d5995a

      SHA1

      4b64d77924ef7ccd88665ef5ecb39c8a3021d657

      SHA256

      a5ce12ae9d4b98a0f6ed5c04cd296229f76587656c989e913c81e3fea558cd23

      SHA512

      aa35fbafc1cc019cfe4dfb4567d4a7110d3179cdbed762033a8417a20dad5f46815032025ce2ebc34f3de77317e57b6a16b7cc2792a148fa5d611e4b43e02ae7

      Download Submit

    • C:\msref\16OqJ.vbe
      Filesize

      204B

      MD5

      8dc56faa119fd7cb2d6ebb11760b11aa

      SHA1

      514a9097a27efe40016589701e155ccf5778de01

      SHA256

      ed50861fa5d1a5e52d9e91917a03a1c0eca8d2c08231ff778b8c8540d3b5dcd8

      SHA512

      927b73c0cb41eb3ed8289bde8296071e59011c41440c8fd6e46e7b26a125a226fe31effe856235e294d0439d4821c48272d58bf1e8e7c2eab6ba03cb1893c9f0

      Download Submit

    • C:\msref\WEr8EqInsZG3PEmvxO6Zoo.bat
      Filesize

      29B

      MD5

      83e5b7bb2a52763b9c5d656d5553179e

      SHA1

      f0588a7031ac500b4fc4fa038cdfe8733624c1dc

      SHA256

      a0619904fb8be5d1380941ad83d000b23bd223fe0f9c6a75d166056ec2f5ac84

      SHA512

      56a7b16ce444a3bbac9b0de2e929e869e4def5378ab044e66a253283adaeb6436e83e041090db73f80f905c9d40e80ddcfa432ef0ad85a1d076660b035244803

      Download Submit

    • C:\msref\file.vbs
      Filesize

      34B

      MD5

      677cc4360477c72cb0ce00406a949c61

      SHA1

      b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

      SHA256

      f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

      SHA512

      7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

      Download Submit

    • \msref\fontreviewHost.exe
      Filesize

      1.3MB

      MD5

      4db3230683f87082e1c24fac6f0a1304

      SHA1

      c0c259ccf54aad4732825e00c316338f872cfd7a

      SHA256

      12f056e68cc558dbfd426bc4bcc4d1ecb539d808caeac809431dd8a670a278f8

      SHA512

      8ac942967c35de5a42bedba0e609e68e5af8eee10ea9ef85c1d263ced082bdad34f6ace04f3f4b4401c351f9bfbb1a55338f871013bb22f5b5afaffe4aa5ab74

      Download Submit

    • memory/2576-68-0x00000000012C0000-0x0000000001412000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2576-72-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2576-69-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2576-71-0x0000000000B90000-0x0000000000C10000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2888-18-0x00000000001C0000-0x0000000000312000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2888-25-0x0000000002010000-0x0000000002018000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2888-24-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2888-23-0x00000000003F0000-0x0000000000402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2888-22-0x00000000003C0000-0x00000000003D6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2888-70-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2888-21-0x00000000003A0000-0x00000000003BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2888-20-0x000000001B2A0000-0x000000001B320000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2888-19-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

      Filesize

      9.9MB

      Download