dcrat | a96f478eaccaa6f24f94f782f2e65717ce87a2ed8c6e43bdb48dd9f4d83a5f75

Analysis

max time kernel
149s
max time network
154s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
26/03/2025, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.1MB
MD5

7a9b75201612cbddbd7306ad838b7702
SHA1

3e933e2963ea93327b484a7fb35edeb8e70b5825
SHA256

a96f478eaccaa6f24f94f782f2e65717ce87a2ed8c6e43bdb48dd9f4d83a5f75
SHA512

2de8b99ff6223c0fe5802aa46a2c8f004ae2d3cf614663861857f360eb78fb93903e5210f8022358416495f18b28b9fe3c2b99c5386b170f36f92c16f818c17a
SSDEEP

24576:U2G/nvxW3Ww0tJjFQ+qTLRr61LjemLSAN0+KleGpi:UbA30RwRXo/NolG

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	WmiPrvSE.exe

Process spawned unexpected child process 29 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5284	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	236	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5232	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5516	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1404	schtasks.exe	116
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1404	schtasks.exe	116

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000028206-13.dat	dcrat
behavioral1/memory/5300-16-0x0000000000600000-0x00000000006D6000-memory.dmp	dcrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
36	5680	WmiPrvSE.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	componentwebsession.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 2 IoCs

pid	Process
5300	componentwebsession.exe
5680	WmiPrvSE.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\ea1d8f6d871115	componentwebsession.exe
File created	C:\Program Files (x86)\Windows Sidebar\WmiPrvSE.exe	componentwebsession.exe
File created	C:\Program Files (x86)\Windows Sidebar\24dbde2999530e	componentwebsession.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\upfc.exe	componentwebsession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\Local Settings	componentwebsession.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4828	schtasks.exe
4840	schtasks.exe
4864	schtasks.exe
4884	schtasks.exe
4916	schtasks.exe
4932	schtasks.exe
4764	schtasks.exe
4880	schtasks.exe
3824	schtasks.exe
3796	schtasks.exe
4776	schtasks.exe
1088	schtasks.exe
4700	schtasks.exe
4876	schtasks.exe
5284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5300	componentwebsession.exe
5300	componentwebsession.exe
5300	componentwebsession.exe
5300	componentwebsession.exe
5680	WmiPrvSE.exe
5680	WmiPrvSE.exe
5680	WmiPrvSE.exe
5680	WmiPrvSE.exe
5680	WmiPrvSE.exe
5680	WmiPrvSE.exe
5680	WmiPrvSE.exe
5680	WmiPrvSE.exe
5680	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5300	componentwebsession.exe
Token: SeDebugPrivilege	5680	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2688	2880	DCRatBuild.exe	81
PID 2880 wrote to memory of 2688	2880	DCRatBuild.exe	81
PID 2880 wrote to memory of 2688	2880	DCRatBuild.exe	81
PID 2688 wrote to memory of 5384	2688	WScript.exe	88
PID 2688 wrote to memory of 5384	2688	WScript.exe	88
PID 2688 wrote to memory of 5384	2688	WScript.exe	88
PID 5384 wrote to memory of 5300	5384	cmd.exe	90
PID 5384 wrote to memory of 5300	5384	cmd.exe	90
PID 5300 wrote to memory of 1784	5300	componentwebsession.exe	106
PID 5300 wrote to memory of 1784	5300	componentwebsession.exe	106
PID 1784 wrote to memory of 2444	1784	cmd.exe	108
PID 1784 wrote to memory of 2444	1784	cmd.exe	108
PID 1784 wrote to memory of 5680	1784	cmd.exe	110
PID 1784 wrote to memory of 5680	1784	cmd.exe	110
PID 5680 wrote to memory of 1208	5680	WmiPrvSE.exe	131
PID 5680 wrote to memory of 1208	5680	WmiPrvSE.exe	131
PID 1208 wrote to memory of 1952	1208	cmd.exe	133
PID 1208 wrote to memory of 1952	1208	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Bridgemsblockcomponentperf\NlYVQ5qrJ.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Bridgemsblockcomponentperf\2hJ7Mn5f5Z5JkVq57.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5384
  - - C:\Bridgemsblockcomponentperf\componentwebsession.exe
      "C:\Bridgemsblockcomponentperf\componentwebsession.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qNNmOF3bae.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2444
      - C:\Program Files (x86)\Windows Sidebar\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows Sidebar\WmiPrvSE.exe"
        6⤵
        Modifies WinLogon for persistence
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\27bcfc6558aaf0254f0c5fc8ee67bab5\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\27bcfc6558aaf0254f0c5fc8ee67bab5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\27bcfc6558aaf0254f0c5fc8ee67bab5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\fc080a577739bdbaee43ae5ca1\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\fc080a577739bdbaee43ae5ca1\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\fc080a577739bdbaee43ae5ca1\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Bridgemsblockcomponentperf\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Bridgemsblockcomponentperf\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Bridgemsblockcomponentperf\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "componentwebsession" /f
1⤵
- Process spawned unexpected child process
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "componentwebsessionc" /f
1⤵
- Process spawned unexpected child process
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "cmd" /f
1⤵
- Process spawned unexpected child process
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "cmdc" /f
1⤵
- Process spawned unexpected child process
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "System" /f
1⤵
- Process spawned unexpected child process
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SystemS" /f
1⤵
- Process spawned unexpected child process
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WaaSMedicAgent" /f
1⤵
- Process spawned unexpected child process
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WaaSMedicAgentW" /f
1⤵
- Process spawned unexpected child process
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSE" /f
1⤵
- Process spawned unexpected child process
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSEW" /f
1⤵
- Process spawned unexpected child process
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "upfc" /f
1⤵
- Process spawned unexpected child process
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "upfcu" /f
1⤵
- Process spawned unexpected child process
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSE" /f
1⤵
- Process spawned unexpected child process
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSEW" /f
1⤵
- Process spawned unexpected child process
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\27bcfc6558aaf0254f0c5fc8ee67bab5\ebf1f9fa8afd6d

Filesize
133B

MD5
f2f182da1bc0291d4171c41b3db5f874

SHA1
686b76e3ca4664ff8611ec95333c3feba69759bc

SHA256
d827b04c7dd2b2cf45f84c42bfe0b6c07424f935afc9a91b8ead8048b270f6de

SHA512
5f9c87ab1c4bdf93df5bfb615f1c69f4fc26a9e4ff7cdd616da13a7d7f67ce51756f80f683feba2457f128a636f6b957f08dab721287e39829474ef8b092de25

Download Submit
C:\Bridgemsblockcomponentperf\2hJ7Mn5f5Z5JkVq57.bat

Filesize
55B

MD5
8f7257c5f547039c68750c858b05a0ce

SHA1
1c222f1fa6a871cdb8d8bf90ab5d2f8f0b64e0ee

SHA256
2d925c9f62648aaf46b91efb3e63e6eb49dbcdbebf85acd9886ce71d001cb504

SHA512
eaaf6cd27c1d10afdcefafaa4f488ff0121a966ceb67821fcffac777a27b394a431dac44f953dc868bf8db42e420e8e37ca05717ce65cb711085059dded718af

Download Submit
C:\Bridgemsblockcomponentperf\NlYVQ5qrJ.vbe

Filesize
221B

MD5
372a1fd5b0a18b5d2c8433868b80409f

SHA1
9460aeae733aca6a42a1b45ad5684cab9cbddef5

SHA256
e511fb9d01a3955c024250db45725d631ced31d74b96525c11dc46ac79613fa7

SHA512
910646531fcb860b91ea656c73a66981eb3c1f10d20e5dbb0fbd4ede6541abae11bd3a18daee519b53cd370f94d0262f51ddca642e6e1af5e7955b824611e278

Download Submit
C:\Bridgemsblockcomponentperf\c82b8037eab33d

Filesize
774B

MD5
0b2af4f1ec8197124d37d34bb3336172

SHA1
a357c6c13ebf338a569e61181a0fbbfa5902dd2a

SHA256
1faebabbfaf443fcfe732a575a176b7d0026ff6f6757e6762c8ed06cde719dcd

SHA512
29e28d294f385c6476a134c87b036e4013e45f8826a42b04c4964e3e9c92c663683266794341f311696fdff39e3011d90dae3dbe70639b803e4850f9976168d3

Download Submit
C:\Bridgemsblockcomponentperf\componentwebsession.exe

Filesize
829KB

MD5
9ec0d74bdb80b5c29ff2d930c22ba856

SHA1
f58ca771c957db21e5fd41c4ea2d0563e3b876c8

SHA256
c5750aada53c6a8c0f2214e463e960ac582c2c27a5b4e33bf52fee513b39607c

SHA512
1a43ef0e869c7657ae2236164ad09c64a05b1cf94ef44addddcd94015c455ee263f1bf1c3ec24fe44b99d6c8c8f9b746d13b3fe510364670f7c3edf7299367b4

Download Submit
C:\Program Files (x86)\Internet Explorer\de-DE\ea1d8f6d871115

Filesize
285B

MD5
68c9dfcc4e0ec10c20c013e54d8beab2

SHA1
ad54e68b86f6304cc1b92fb6593ee228e3faab21

SHA256
0505a4c29cbefe33a8c7cd640589949bf3d6dd725ed3104675502f2ffb499a38

SHA512
7526158f660b3f34c6ef3b53aca95fb15320cb0459e2cc4a249ffe4d2a6ec05153377055ddc872bfc759980de5fd0eef60e126ac36c4d72b0a0e3ccd56bfb20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qNNmOF3bae.bat

Filesize
216B

MD5
26f517d224ae60a78a207043a69e6ccb

SHA1
bc2a1b9d80d74a749fc0d6267f0f8ed05a913fb1

SHA256
2c35f31919b099eadef8b2ec3c0fec0786ff7d446011748e4fd7b0a9affb98c1

SHA512
ea585169c90d6c8098f36054963a586cf7cc427f9250168ffcc029e11124635f47eb762203d531ead4a68c354966a43f1be613d5c1b605ef5e9caa7bbd694f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
290B

MD5
e9f1e76cc26eb628c67ad77867c61c6e

SHA1
c99a43e9c42a64112883e94c25fea82777ba2f27

SHA256
48635b6f2ee4e83fd853ea3507c4dcf75d67f3cd4c1834808ccf2fb71c62fb49

SHA512
93a62430c0ac8a0df7e6201b0758dece12684cb9613b6ce281e3129bbd5515276227784101370728f321372f1705c857067d037d4c809c67e4b5502d10905381

Download Submit
C:\fc080a577739bdbaee43ae5ca1\27d1bcfc3c54e0

Filesize
670B

MD5
fce9c3e179c460133fedb917cc06e4ac

SHA1
69b16ea8b2141427c6d91edd28508bab0fe05759

SHA256
d382a5a46fdb5cb3271682286f175d23d962f6337b1ce4d0f63324bec6cce1ba

SHA512
7c7dec4fa7ddde365747185ddc7fed8b3511ddb4bed7331097b28676b5f972ea3dde45e5d4d4a91165cc8c90f6ee8ab11e81de115839b068973a5f7aa8e043ac

Download Submit
memory/5300-15-0x00007FFA76093000-0x00007FFA76095000-memory.dmp

Filesize
8KB

Download
memory/5300-16-0x0000000000600000-0x00000000006D6000-memory.dmp

Filesize
856KB

Download
memory/5680-32-0x00000000015F0000-0x0000000001600000-memory.dmp

Filesize
64KB

Download