dcrat | 65b0c87250c7207266c3106b971952371a617a6d8a71961261f9cee48d3b5af1

Analysis

max time kernel
101s
max time network
123s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-01-2025 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.3MB
MD5

28c9205807203203b71d3bd96798998a
SHA1

1e5a4a9e3b3f32a177d00919d48ef8d8375bf91b
SHA256

65b0c87250c7207266c3106b971952371a617a6d8a71961261f9cee48d3b5af1
SHA512

eafc27377283d50890c2212aa73dd8474974dc81a358774ae2aab4bd4678680d187281a45338b86ba50d41c01772c69fc3816d6688173da78bcf333d867274e8
SSDEEP

24576:U2G/nvxW3Ww0tQT2vWFQ/NJcu6EpfGr5ys8NL/IRNWdtmV:UbA30TNJcKGrJkzIDW2

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3608	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	3608	schtasks.exe	85

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0028000000046180-14.dat	dcrat
behavioral1/memory/4452-16-0x00000000007D0000-0x00000000008DC000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	mscontainer.exe

Executes dropped EXE 2 IoCs

pid	Process
4452	mscontainer.exe
1528	wininit.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\uk-UA\5b884080fd4f94	mscontainer.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\System.exe	mscontainer.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\27d1bcfc3c54e0	mscontainer.exe
File created	C:\Program Files\Windows Mail\SppExtComObj.exe	mscontainer.exe
File created	C:\Program Files\Windows Mail\e1ef82546f0b02	mscontainer.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\sihost.exe	mscontainer.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\66fc9ff0ee96c2	mscontainer.exe
File created	C:\Program Files\Windows NT\Accessories\uk-UA\fontdrvhost.exe	mscontainer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\wininit.exe	mscontainer.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\56085415360792	mscontainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings	DCRatBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3860	schtasks.exe
4300	schtasks.exe
324	schtasks.exe
4132	schtasks.exe
3948	schtasks.exe
2392	schtasks.exe
4944	schtasks.exe
2004	schtasks.exe
1848	schtasks.exe
3096	schtasks.exe
3100	schtasks.exe
1644	schtasks.exe
984	schtasks.exe
220	schtasks.exe
1696	schtasks.exe
712	schtasks.exe
3788	schtasks.exe
1136	schtasks.exe
1008	schtasks.exe
2396	schtasks.exe
2476	schtasks.exe
2704	schtasks.exe
4816	schtasks.exe
2340	schtasks.exe
924	schtasks.exe
1916	schtasks.exe
3656	schtasks.exe
4148	schtasks.exe
1280	schtasks.exe
4040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4452	mscontainer.exe
4452	mscontainer.exe
4452	mscontainer.exe
4452	mscontainer.exe
4452	mscontainer.exe
4452	mscontainer.exe
4452	mscontainer.exe
1528	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	mscontainer.exe
Token: SeDebugPrivilege	1528	wininit.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2768	4408	DCRatBuild.exe	81
PID 4408 wrote to memory of 2768	4408	DCRatBuild.exe	81
PID 4408 wrote to memory of 2768	4408	DCRatBuild.exe	81
PID 2768 wrote to memory of 2192	2768	WScript.exe	82
PID 2768 wrote to memory of 2192	2768	WScript.exe	82
PID 2768 wrote to memory of 2192	2768	WScript.exe	82
PID 2192 wrote to memory of 4452	2192	cmd.exe	84
PID 2192 wrote to memory of 4452	2192	cmd.exe	84
PID 4452 wrote to memory of 1528	4452	mscontainer.exe	116
PID 4452 wrote to memory of 1528	4452	mscontainer.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FontCrt\khuXVZNLT8lHU57dZRLpVAxj9.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\FontCrt\ahBTPS2VPnUCyISJ3w9RBP1jNcT.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\FontCrt\mscontainer.exe
      "C:\FontCrt\mscontainer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\wininit.exe
        
        "C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\FontCrt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\FontCrt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\FontCrt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FontCrt\ahBTPS2VPnUCyISJ3w9RBP1jNcT.bat

Filesize
28B

MD5
e1f58127ae786ef52764c622753d3e8a

SHA1
c45e0842b04d8fbb0374ccdef5e950b7fceca1b6

SHA256
d16ade0fe8e1865172f17305962ba1c4cae5f8ad4d3618a5d87ea62732e2cab5

SHA512
f6393ad6f076b77bd57b25308588d43d3cbc4bd3b6d08fad62ba5ca74f1b140aedb69b8a14900570d0ac81cdb4b6cb8453a2920337d14877dd11cb293870b598

Download Submit
C:\FontCrt\khuXVZNLT8lHU57dZRLpVAxj9.vbe

Filesize
211B

MD5
694d3b43806f860222387aa75f580204

SHA1
c2059e5e815c25a75dc2ee377b2dec21993c14ab

SHA256
ab69e634aa7e7cf4fc538d611f116bd7a935d04ac5c9a5b7b9801e9e67ca8bc9

SHA512
4980edf01d5e988caac1320f38b7a3dc0a3f12c6b361f8b4423ebd7f3a68271e508f520463a6598c750e13340498858ea3dd77561578a5ce1e9c22687a4a04c2

Download Submit
C:\FontCrt\mscontainer.exe

Filesize
1.0MB

MD5
6e419c52de7ea417517eb6b05d282976

SHA1
7c24c07261e8738d2ff5cc71ff12b45806433f13

SHA256
34b11186c045bb01af30e36590e39fa1ae8dacb6bb97c4fe0d4ebbec10a33948

SHA512
b464974f1d251638f173279d9fbdc6ed81b541de92975740b16c47b8a0273f08a742439cdcf3aed5c2b177cfc2ff3c1daa64f3ccfa8b4905fecf3cbe29352b9e

Download Submit
memory/1528-32-0x000000001C1B0000-0x000000001C299000-memory.dmp

Filesize
932KB

Download
memory/1528-38-0x000000001C1B0000-0x000000001C299000-memory.dmp

Filesize
932KB

Download
memory/4452-15-0x00007FFB17123000-0x00007FFB17125000-memory.dmp

Filesize
8KB

Download
memory/4452-16-0x00000000007D0000-0x00000000008DC000-memory.dmp

Filesize
1.0MB

Download
memory/4452-17-0x000000001B4F0000-0x000000001B506000-memory.dmp

Filesize
88KB

Download
memory/4452-18-0x00000000010B0000-0x00000000010BE000-memory.dmp

Filesize
56KB

Download
memory/4452-31-0x000000001BB20000-0x000000001BC09000-memory.dmp

Filesize
932KB

Download