Overview

overview

10

Static

static

7

DCRatBuild.exe

windows10-2004-x64

10

Resubmissions

26/03/2025, 05:01

250326-fnmenaxxdt 10

Analysis

  • max time kernel
    414s
  • max time network
    415s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    1.4MB

  • MD5

    890b09aea29e89eaf80df95deefb73c3

  • SHA1

    3c6b2b2e635542eaaf4aefd3e0af6a285aefab50

  • SHA256

    225e120cff3c4735693f6297f074cc50a7eb21709668ac7b283514a497296478

  • SHA512

    2a8388fda1533b06d377ed46457cf2f68919ac62cd0ef6ff79a88383a60c1ca0b27a7dc6b1fdcde09f5a7f5b5b7389f27a2f4e79c7c5d2f01f0c602f3cec5421

  • SSDEEP

    24576:9TbBv5rUCB0nQ1c9yzgS5o/mNHJK7CXiUgRRAJtndHr5k+jp9TO7:XBOQ1Iy0MYRIfj+

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat 40 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\reviewsavesperfCrtSvc\tzMZVm1abJD3pde4yd.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\reviewsavesperfCrtSvc\aYwgBEDNgkB8QtolbNtXXxbWyY.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4320
        • C:\reviewsavesperfCrtSvc\BlockFontdhcp.exe
          "C:\reviewsavesperfCrtSvc\BlockFontdhcp.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:64
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BhXHWbXjm4.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4512
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4900
              • C:\f9532e701a889cdd91b8\dllhost.exe
                "C:\f9532e701a889cdd91b8\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1124
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgyizeto\wgyizeto.cmdline"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:972
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1F7.tmp" "c:\Users\Admin\AppData\Local\Temp\wgyizeto\CSCFF123A5D24B34340A9FB85857F36C4B.TMP"
                    8⤵
                      PID:5696
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\\AWL6wsGpK7.bat"
                    7⤵
                      PID:5360
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3540
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5576
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\TrustedInstaller.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\TrustedInstaller.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\TrustedInstaller.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4304
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\SearchApp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Videos\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4360
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Settings\dwm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:6112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\Settings\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5612
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\SearchApp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:872
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5156
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3188
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:6104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\System.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:812
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3356
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\unsecapp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\en-US\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\unsecapp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1248
        • C:\Users\Public\Documents\fontdrvhost.exe
          C:\Users\Public\Documents\fontdrvhost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1992
        • C:\aff403968f1bfcc42131676322798b50\csrss.exe
          C:\aff403968f1bfcc42131676322798b50\csrss.exe
          1⤵
          • Executes dropped EXE
          PID:872
        • C:\f9532e701a889cdd91b8\SearchApp.exe
          C:\f9532e701a889cdd91b8\SearchApp.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3512

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat
          Filesize

          44B

          MD5

          d22873a432ee310a81b55f9ed9076a35

          SHA1

          6634f60bd1c924a0c4161912a9671e2f55dee4ac

          SHA256

          8a4f4e4f942104f2a61a587767f560fe2cfce39eae69bf1b971ca0776ff2fd23

          SHA512

          31a0dd03ee4c113287a484425736d921f87ce705d5062d7f7af56d1a7539f9ef6e05904adb10ab162672c52e63df064c34b6f5d8bb431031735e042e186b6eae

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BhXHWbXjm4.bat
          Filesize

          200B

          MD5

          4d124b8fef90d93fe66ecb4aaea50fd1

          SHA1

          fdb51e5d9653ff7869383218f511a60bfcc509b3

          SHA256

          d19f6a68a68bf27e616e8228af49b0469378f0e9ac436abd15ae108b8958cea4

          SHA512

          a5b1b8085c304ff0939386827f44c1cfaea687b9133e47c2d5724937e69aa0d9d12c6a3543509c95ef3919c34b71833ca384bf7d8e1af546860cebc0688c30b8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESF1F7.tmp
          Filesize

          1KB

          MD5

          e1a1fc0f118e963f2c91e4a12a9ab349

          SHA1

          9e03e4055d36a761c5166fbac5f97ac4490ee63d

          SHA256

          501232158292fd0b59349ddfc3830ac64b72c4efb2650eb0dbf787db38258345

          SHA512

          6740f66022750239d78bff3ed367c66c1be7405be1c660171d178dfe413651ff4cbcdc88c7ba832638ca688759d64e43fff7cd75b77e03c6d06013d33a9cc42a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp9385A.tmp
          Filesize

          1KB

          MD5

          00e76a1965ef3312779990f0f189466a

          SHA1

          7176d2cc9fdf12781e15c3dbfacccfd17520fbde

          SHA256

          d366e04454b61b754455c76983609b53f4b7a8995344e200c74be96867963daa

          SHA512

          da908d0b57df36fd30b77f0539172367dae629f6a456412aec78368fbf96517671d73fb44e7a705122938fe00fa8567941064a99e387b230073863c63994044b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wgyizeto\wgyizeto.dll
          Filesize

          3KB

          MD5

          17ff16f51f7b12372a5193b4b96123c8

          SHA1

          0ba9422a266b36ae2aa62578d863d28dd6578b80

          SHA256

          e9db3c2f70327accbcdd7773650b8de46ea3059e05c047631efa9fd69f9d0a6c

          SHA512

          e3ef1569e0040a8e42bbf273bb3c091151cbaeeb93d51edb7cb192f502d16c6eaf05003206cc4956905f79fcd4c4ef51b5bb66e68ea6e95e637935ebb36b964a

          Download Submit

        • C:\reviewsavesperfCrtSvc\BlockFontdhcp.exe
          Filesize

          1.0MB

          MD5

          3f658d28250f84d99535f21b813ec7cb

          SHA1

          a9b2cc33893de0489eacee3387d0ce8e925852ac

          SHA256

          8c46f055a6dacf41bea4eaca78b4a3eab9e95ec322a1224592f2d49ba0d0ab52

          SHA512

          5e7031c27a6025fee74d63b4590432a662885c8f237d4446f487c851b9c1be03fc43311fd09af028762c64da488bff41d13386cfaf5db0ec741be2e3537ee866

          Download Submit

        • C:\reviewsavesperfCrtSvc\aYwgBEDNgkB8QtolbNtXXxbWyY.bat
          Filesize

          44B

          MD5

          db8867c0cc3be41674b6be7526a43ed0

          SHA1

          7633be3ae90e93f7f2db61814ba49604341bdfe3

          SHA256

          093e64e9e0ca0087984f60b67c531086646966361c6f3255fef2bb5c55d6dd8a

          SHA512

          bffb69ceab7517f863bf20849f51d967854da8863573869dc282d99f34680f411183977b56db4ac2351c0816fb535cbb628e0dad60fc4970ec3987b00c7493a7

          Download Submit

        • C:\reviewsavesperfCrtSvc\tzMZVm1abJD3pde4yd.vbe
          Filesize

          225B

          MD5

          531f115a8a6adab2a86a1af79fb53765

          SHA1

          084f53afdd7317f85a148610d68c2931cc9c0465

          SHA256

          73b48abb75373b9f1bb726491723a345fa63bcbdf65d7ae416dbf3301671409a

          SHA512

          1a82abf9d3cb84192a4f3f0880a09e0ba3eeed6c2a798476eb78fa9c43bfb6ea5f3f401784f31091707c1be18579d0ac76e3a5402ee92e9eda8c3dec524a3d60

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wgyizeto\CSCFF123A5D24B34340A9FB85857F36C4B.TMP
          Filesize

          652B

          MD5

          3debec641425084a4110e448bfb9de83

          SHA1

          05e0b819108ed31a4e34b39e8a6f2e6e20b302c5

          SHA256

          680bd47a5dc52c9c88e9343368cf96fb03ef8c6410b21a15c5b93ccc83e5e6e7

          SHA512

          9e8b3ee6451ce4ec719eeaa4328a1eaf68a4bad0f77713191561d83b42e6e1cdc042e3658e19dc795e3824193194bb3a2f5b60f6b0fd9520f619e9b11626a3f1

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wgyizeto\wgyizeto.0.cs
          Filesize

          365B

          MD5

          86e0b0bf65d4dc07bd897c9e1cdf1f5b

          SHA1

          5c5b82c9577af95ab2207c8f2a746289067d4b6d

          SHA256

          2d9dd898a59efe313bef9c57de42ae64a089d934e4bcf90e46d53b3920a2e5b3

          SHA512

          3c5fec4a23f30b8b66a6283743776767b7bc6d736397c2568e7fdb4f946dede5909bd7c2ab76ba9edf4bf085d6c8b91d089e919965c16c7955f04b6b5c3d401a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wgyizeto\wgyizeto.cmdline
          Filesize

          334B

          MD5

          ba89b2c61802c1549c4fb084832d0757

          SHA1

          f724a63d883188c1952b6bc0493303bde728fc00

          SHA256

          0166c793644c929d0cec19b6239540e3c97fc2cfea4675d4c99cfb12c1caf257

          SHA512

          c036f90b2ec7faaf56014bfa820278eb23ca0f8993dba82e98dc4b8c1147ba93045fbbc8273c60585df3b81043a22525e01ef5cb1f5280c19a86491db8cec704

          Download Submit

        • memory/64-25-0x0000000000200000-0x0000000000308000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1124-76-0x00000000016C0000-0x00000000016C8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3540-19-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-14-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-15-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-16-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-17-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-18-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-20-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-8-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-9-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-10-0x000002B37BD30000-0x000002B37BD31000-memory.dmp

          Filesize

          4KB

          Download