dcrat | 0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc

Analysis

max time kernel
126s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe
Size

1.9MB
MD5

03fd9c7c9d838f3e7d4a2e42c317b6be
SHA1

66976024383f4557cd20089d9621c63cbe69ef1f
SHA256

0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc
SHA512

177a7f955a5060e96279262cf2fc6a34a59535c93412b1afc8f6c51c7adad1548906d25413f6b43e944154816aba98964da203f42f71192c2ef8eaaac6c40654
SSDEEP

49152:tbA3D8ThjyY3Bh5m7Uqbs3Ed/v1/hTTBxjkndCV/WY:tbpThjyY3soqbsUX1/t3jknYV/F

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\WmiPrvSE.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\WmiPrvSE.exe\", \"C:\\odt\\conhost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\WmiPrvSE.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\WmiPrvSE.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Program Files\\Windows Defender\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\WmiPrvSE.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\Registry.exe\", \"C:\\msref\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\""	fontreviewHost.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3520	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3520	schtasks.exe	85

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0006000000023128-16.dat	dcrat
behavioral2/files/0x0006000000023128-15.dat	dcrat
behavioral2/memory/452-17-0x0000000000150000-0x00000000002A2000-memory.dmp	dcrat
behavioral2/files/0x0007000000023134-29.dat	dcrat
behavioral2/files/0x000400000001e2e8-62.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	fontreviewHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe

Executes dropped EXE 2 IoCs

pid	Process
452	fontreviewHost.exe
4124	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\odt\\Registry.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\odt\\Registry.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\msref\\SearchApp.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\odt\\conhost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\msref\\SearchApp.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\SystemApps\\NcsiUwpApp_8wekyb3d8bbwe\\microsoft.system.package.metadata\\Autogen\\explorer.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\odt\\conhost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\csrss.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Defender\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Defender\\WmiPrvSE.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\TextInputHost.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Speech\\Engines\\TTS\\en-US\\RuntimeBroker.exe\""	fontreviewHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\csrss.exe\""	fontreviewHost.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\WmiPrvSE.exe	fontreviewHost.exe
File created	C:\Program Files\Windows Defender\24dbde2999530e	fontreviewHost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\TextInputHost.exe	fontreviewHost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\22eafd247d37c3	fontreviewHost.exe
File created	C:\Program Files\Common Files\csrss.exe	fontreviewHost.exe
File created	C:\Program Files\Common Files\886983d96e3d3e	fontreviewHost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\explorer.exe	fontreviewHost.exe
File created	C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\7a0fd90576e088	fontreviewHost.exe
File created	C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe	fontreviewHost.exe
File created	C:\Windows\Speech\Engines\TTS\en-US\9e8d7a4ca61bd9	fontreviewHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4516	schtasks.exe
4972	schtasks.exe
1400	schtasks.exe
924	schtasks.exe
2040	schtasks.exe
1768	schtasks.exe
2832	schtasks.exe
2892	schtasks.exe
2508	schtasks.exe
2884	schtasks.exe
1368	schtasks.exe
4212	schtasks.exe
1460	schtasks.exe
556	schtasks.exe
2660	schtasks.exe
2880	schtasks.exe
4572	schtasks.exe
2044	schtasks.exe
2764	schtasks.exe
4160	schtasks.exe
4108	schtasks.exe
4872	schtasks.exe
1256	schtasks.exe
2000	schtasks.exe
4804	schtasks.exe
2200	schtasks.exe
700	schtasks.exe
5116	schtasks.exe
3172	schtasks.exe
3132	schtasks.exe
2944	schtasks.exe
1136	schtasks.exe
2512	schtasks.exe
3800	schtasks.exe
2700	schtasks.exe
2488	schtasks.exe
2084	schtasks.exe
3760	schtasks.exe
4512	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	fontreviewHost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
452	fontreviewHost.exe
452	fontreviewHost.exe
452	fontreviewHost.exe
452	fontreviewHost.exe
452	fontreviewHost.exe
452	fontreviewHost.exe
452	fontreviewHost.exe
452	fontreviewHost.exe
452	fontreviewHost.exe
452	fontreviewHost.exe
4124	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	fontreviewHost.exe
Token: SeDebugPrivilege	4124	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 4076	4488	0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe	86
PID 4488 wrote to memory of 4076	4488	0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe	86
PID 4488 wrote to memory of 4076	4488	0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe	86
PID 4488 wrote to memory of 804	4488	0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe	87
PID 4488 wrote to memory of 804	4488	0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe	87
PID 4488 wrote to memory of 804	4488	0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe	87
PID 4076 wrote to memory of 3536	4076	WScript.exe	89
PID 4076 wrote to memory of 3536	4076	WScript.exe	89
PID 4076 wrote to memory of 3536	4076	WScript.exe	89
PID 3536 wrote to memory of 452	3536	cmd.exe	91
PID 3536 wrote to memory of 452	3536	cmd.exe	91
PID 452 wrote to memory of 2400	452	fontreviewHost.exe	134
PID 452 wrote to memory of 2400	452	fontreviewHost.exe	134
PID 2400 wrote to memory of 4404	2400	cmd.exe	135
PID 2400 wrote to memory of 4404	2400	cmd.exe	135
PID 2400 wrote to memory of 4124	2400	cmd.exe	138
PID 2400 wrote to memory of 4124	2400	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe
"C:\Users\Admin\AppData\Local\Temp\0842c1cd11517bdde54e9143f4a1dc9c4a1ac387ae96f972f65d5b49337648cc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msref\16OqJ.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\msref\WEr8EqInsZG3PEmvxO6Zoo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\msref\fontreviewHost.exe
      "C:\msref\fontreviewHost.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o2yYHqr4JD.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4404
      - C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe
        
        "C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msref\file.vbs"
  2⤵
  PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\msref\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\msref\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\msref\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\MsEdgeCrashpad\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\MsEdgeCrashpad\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\o2yYHqr4JD.bat

Filesize
218B

MD5
d25ec484bbdf35f94fe939188bda03e0

SHA1
9b6bf8da9c4b731799a6dda29a8e529215a99138

SHA256
2ab8aeb5bca22e394ec8d0af99fed7aee224535a326216085c617ed3fa36be99

SHA512
2fe7fa5b055c182d82a7c8b993e980ba0ed5ab047c8857b223ec0cfc23c1d88f980e9ba05997a32eb8fa39c5a7b2c1cfffd104446bd12efb95a92c524ba0195e

Download Submit
C:\Windows\Speech\Engines\TTS\en-US\RuntimeBroker.exe

Filesize
737KB

MD5
699f03224a43dcdabadf83a27cd4f686

SHA1
a55de11f50b943715f462a0098c75502f9b143ff

SHA256
a8b25654814c8228df45c33ea9aab48acc564cecdab4e13ac892713837ef7161

SHA512
3bd7cbe239fcd235723d79048a4ea83c664b87879ec8b125e5fdde18c0a25a46168a69d457085973678d8dd03d5bf319c1c1460eeb9157058c0c092bad71fbb4

Download Submit
C:\msref\16OqJ.vbe

Filesize
204B

MD5
8dc56faa119fd7cb2d6ebb11760b11aa

SHA1
514a9097a27efe40016589701e155ccf5778de01

SHA256
ed50861fa5d1a5e52d9e91917a03a1c0eca8d2c08231ff778b8c8540d3b5dcd8

SHA512
927b73c0cb41eb3ed8289bde8296071e59011c41440c8fd6e46e7b26a125a226fe31effe856235e294d0439d4821c48272d58bf1e8e7c2eab6ba03cb1893c9f0

Download Submit
C:\msref\SearchApp.exe

Filesize
1.3MB

MD5
4db3230683f87082e1c24fac6f0a1304

SHA1
c0c259ccf54aad4732825e00c316338f872cfd7a

SHA256
12f056e68cc558dbfd426bc4bcc4d1ecb539d808caeac809431dd8a670a278f8

SHA512
8ac942967c35de5a42bedba0e609e68e5af8eee10ea9ef85c1d263ced082bdad34f6ace04f3f4b4401c351f9bfbb1a55338f871013bb22f5b5afaffe4aa5ab74

Download Submit
C:\msref\WEr8EqInsZG3PEmvxO6Zoo.bat

Filesize
29B

MD5
83e5b7bb2a52763b9c5d656d5553179e

SHA1
f0588a7031ac500b4fc4fa038cdfe8733624c1dc

SHA256
a0619904fb8be5d1380941ad83d000b23bd223fe0f9c6a75d166056ec2f5ac84

SHA512
56a7b16ce444a3bbac9b0de2e929e869e4def5378ab044e66a253283adaeb6436e83e041090db73f80f905c9d40e80ddcfa432ef0ad85a1d076660b035244803

Download Submit
C:\msref\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\msref\fontreviewHost.exe

Filesize
1.2MB

MD5
80d35c7a29400769c842f0fb3cd54e37

SHA1
ed5d82d9a03b55be102fa11556129ce775ec7ee2

SHA256
f96a34df377459d2df5b5c4e6fd69015652a84b03841b93edbdb53342a916eb3

SHA512
8ada707eb1ca4a401b3b881e09732ad29933f7626241539e36a334311010a28c3a51ecd7ccc48a6f1c8e134fd05edeb9345708650f748c386e2e8fac8f586f3a

Download Submit
C:\msref\fontreviewHost.exe

Filesize
1.1MB

MD5
3869de997ac0b1b9222562f72eb4a7f5

SHA1
198229fc6a5bd4d3c6fc1a071bf6206c2281ed69

SHA256
a282bba6c5487647931c3777f3f77726a0fd6908dd24921fac97433a12a82ef1

SHA512
2b98921de546c11c355287cd2d5e2be72bc2fa0a5c9e4d692f755eab952ea3379fc47a472faea5266fb9bb86432d4e2d23651d88e721fc684fa156fde1fdc3a9

Download Submit
memory/452-17-0x0000000000150000-0x00000000002A2000-memory.dmp

Filesize
1.3MB

Download
memory/452-20-0x000000001AEC0000-0x000000001AEDC000-memory.dmp

Filesize
112KB

Download
memory/452-22-0x000000001AEE0000-0x000000001AEF6000-memory.dmp

Filesize
88KB

Download
memory/452-21-0x000000001B050000-0x000000001B0A0000-memory.dmp

Filesize
320KB

Download
memory/452-24-0x000000001BCD0000-0x000000001C1F8000-memory.dmp

Filesize
5.2MB

Download
memory/452-26-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/452-25-0x0000000002360000-0x000000000236E000-memory.dmp

Filesize
56KB

Download
memory/452-23-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/452-19-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

Filesize
64KB

Download
memory/452-59-0x00007FF99F1D0000-0x00007FF99FC91000-memory.dmp

Filesize
10.8MB

Download
memory/452-18-0x00007FF99F1D0000-0x00007FF99FC91000-memory.dmp

Filesize
10.8MB

Download
memory/4124-63-0x00007FF99EDD0000-0x00007FF99F891000-memory.dmp

Filesize
10.8MB

Download
memory/4124-64-0x000000001BDD0000-0x000000001BDE2000-memory.dmp

Filesize
72KB

Download
memory/4124-66-0x00007FF99EDD0000-0x00007FF99F891000-memory.dmp

Filesize
10.8MB

Download