babadeda | b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
11-04-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe
Size

107.9MB
MD5

e4c7e50f00bb0df010b2067178c7af0d
SHA1

eaf452720b75bec51f7e15b833192c39c318f09e
SHA256

b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c
SHA512

823c6eef9ec3dbf8cec1cdcdbbcd9180ed70cf41a673c9253d4eb1d2a4b489567345d4e9981003bcfab6b38e3c5f9fee538d3610d6c515557cf241e9885be5b8

Score

10^/10

babadeda crypter loader persistence

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000021f1b-153.dat	family_babadeda
behavioral2/memory/4184-154-0x00000000064C0000-0x000000000B5C0000-memory.dmp	family_babadeda

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1812 created 4536	1812	svchost.exe	87

Executes dropped EXE 5 IoCs

pid	Process
4936	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp
2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp
2192	tracegen.exe
4536	AdobeIPCBroker.exe
4184	AdobeIPCBroker.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ipcmanager.lnk	AdobeIPCBroker.exe

Loads dropped DLL 7 IoCs

pid	Process
4536	AdobeIPCBroker.exe
4536	AdobeIPCBroker.exe
4536	AdobeIPCBroker.exe
4184	AdobeIPCBroker.exe
4184	AdobeIPCBroker.exe
4184	AdobeIPCBroker.exe
4184	AdobeIPCBroker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IPC Broker = "C:\\Users\\Admin\\AppData\\Roaming\\FX Draw Tools\\AdobeIPCBroker.exe"	AdobeIPCBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Detects BABADEDA Crypter 2 IoCs

Detects BABADEDA Crypter.

resource	yara_rule
behavioral2/files/0x0006000000021f1b-153.dat	BABADEDA_Crypter
behavioral2/memory/4184-154-0x00000000064C0000-0x000000000B5C0000-memory.dmp	BABADEDA_Crypter

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	AdobeIPCBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	AdobeIPCBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	AdobeIPCBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	AdobeIPCBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp
2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4536	AdobeIPCBroker.exe
Token: SeTcbPrivilege	1812	svchost.exe
Token: SeTcbPrivilege	1812	svchost.exe
Token: SeDebugPrivilege	4184	AdobeIPCBroker.exe
Token: SeDebugPrivilege	4184	AdobeIPCBroker.exe
Token: SeDebugPrivilege	4184	AdobeIPCBroker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4184	AdobeIPCBroker.exe
4184	AdobeIPCBroker.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4936	4716	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe	82
PID 4716 wrote to memory of 4936	4716	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe	82
PID 4716 wrote to memory of 4936	4716	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe	82
PID 4936 wrote to memory of 4588	4936	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	83
PID 4936 wrote to memory of 4588	4936	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	83
PID 4936 wrote to memory of 4588	4936	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	83
PID 4588 wrote to memory of 2212	4588	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe	84
PID 4588 wrote to memory of 2212	4588	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe	84
PID 4588 wrote to memory of 2212	4588	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe	84
PID 2212 wrote to memory of 2192	2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	85
PID 2212 wrote to memory of 2192	2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	85
PID 2212 wrote to memory of 2192	2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	85
PID 2212 wrote to memory of 4536	2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	87
PID 2212 wrote to memory of 4536	2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	87
PID 2212 wrote to memory of 4536	2212	b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp	87
PID 1812 wrote to memory of 4184	1812	svchost.exe	89
PID 1812 wrote to memory of 4184	1812	svchost.exe	89
PID 1812 wrote to memory of 4184	1812	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe
"C:\Users\Admin\AppData\Local\Temp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\is-16G1F.tmp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-16G1F.tmp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp" /SL5="$A005E,112345715,875520,C:\Users\Admin\AppData\Local\Temp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe
    "C:\Users\Admin\AppData\Local\Temp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\is-8HDRS.tmp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-8HDRS.tmp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp" /SL5="$8004E,112345715,875520,C:\Users\Admin\AppData\Local\Temp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Roaming\FX Draw Tools\tracegen.exe
        
        "C:\Users\Admin\AppData\Roaming\FX Draw Tools\tracegen.exe"
        5⤵
        Executes dropped EXE
        
        PID:2192
    - - C:\Users\Admin\AppData\Roaming\FX Draw Tools\AdobeIPCBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\FX Draw Tools\AdobeIPCBroker.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
      - C:\Users\Admin\AppData\Roaming\FX Draw Tools\AdobeIPCBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\FX Draw Tools\AdobeIPCBroker.exe" "-relaunchedForIntegrityLevel -launchedbyvulcan-4536 C:\Users\Admin\AppData\Roaming\FX Draw Tools\AdobeIPCBroker.exe"
        6⤵
        Executes dropped EXE
        Drops startup file
        Loads dropped DLL
        Adds Run key to start application
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-16G1F.tmp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp

Filesize
3.1MB

MD5
31ca91499cc1010742c93ead43cfcfb0

SHA1
7c15d275586b5c676522e71ff2050fc034e367cc

SHA256
0a261c1acd2ad1a40de2598e48677a3d2487e791fa15694a39749f1a6cbde4e2

SHA512
bc13af635d813dd92e1a7594c54b04ca7abcceb63a50f7c21d5ce865da5a21ded34716bc456d775bfe5c25ecf4a5de369ab253091316ce4db0b535b47b6634fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HDRS.tmp\b0966b0b2a38cb845932231c04b16d79f2c434a0171ebe151585f154a418e02c.tmp

Filesize
3.1MB

MD5
31ca91499cc1010742c93ead43cfcfb0

SHA1
7c15d275586b5c676522e71ff2050fc034e367cc

SHA256
0a261c1acd2ad1a40de2598e48677a3d2487e791fa15694a39749f1a6cbde4e2

SHA512
bc13af635d813dd92e1a7594c54b04ca7abcceb63a50f7c21d5ce865da5a21ded34716bc456d775bfe5c25ecf4a5de369ab253091316ce4db0b535b47b6634fe

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\AdobeIPCBroker.exe

Filesize
4.6MB

MD5
25d5826c1136dde91cb8ed3b9319c50d

SHA1
627b989677c7d3d7431ca2d1c591fee095197a1e

SHA256
098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

SHA512
73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\AdobeIPCBroker.exe

Filesize
4.6MB

MD5
25d5826c1136dde91cb8ed3b9319c50d

SHA1
627b989677c7d3d7431ca2d1c591fee095197a1e

SHA256
098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

SHA512
73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\AdobeIPCBroker.exe

Filesize
4.6MB

MD5
25d5826c1136dde91cb8ed3b9319c50d

SHA1
627b989677c7d3d7431ca2d1c591fee095197a1e

SHA256
098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

SHA512
73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\CRClient.dll

Filesize
831KB

MD5
b138e3a09a23bb6bfee9c58a11efab07

SHA1
fd268b9f98a811d66cbe595701abd4f3caa0f6d8

SHA256
560a2eb2b1a31801bc6d20e1788736d41ebe2e859f6db364c8b1bee8f620eaf2

SHA512
52c179d656aac9c0ccff05b02a30a57d4ebc1a72bf844cf277c0a3272d57b0f434e909bf41b29e2f0e6968ceed2a51130d431cfd474d53ca89170e86b76b59f2

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\CRClient.dll

Filesize
831KB

MD5
b138e3a09a23bb6bfee9c58a11efab07

SHA1
fd268b9f98a811d66cbe595701abd4f3caa0f6d8

SHA256
560a2eb2b1a31801bc6d20e1788736d41ebe2e859f6db364c8b1bee8f620eaf2

SHA512
52c179d656aac9c0ccff05b02a30a57d4ebc1a72bf844cf277c0a3272d57b0f434e909bf41b29e2f0e6968ceed2a51130d431cfd474d53ca89170e86b76b59f2

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\CRClient.dll

Filesize
831KB

MD5
b138e3a09a23bb6bfee9c58a11efab07

SHA1
fd268b9f98a811d66cbe595701abd4f3caa0f6d8

SHA256
560a2eb2b1a31801bc6d20e1788736d41ebe2e859f6db364c8b1bee8f620eaf2

SHA512
52c179d656aac9c0ccff05b02a30a57d4ebc1a72bf844cf277c0a3272d57b0f434e909bf41b29e2f0e6968ceed2a51130d431cfd474d53ca89170e86b76b59f2

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\MbClient.dll

Filesize
196KB

MD5
59acec969ffeafba1bd0a8de3f933833

SHA1
ba2d6f092cfb9a0c53c4a2c85e87d23cf7accee6

SHA256
7f11cbdb58400bf35f456735d62ab7e84361142a22076d595fec0a27a0c09920

SHA512
f11865b3d0e76277a3c86b5be7ffd34d43ef68a7a1855b4af6dc7e986980d8973c49dea7676b83b359e6ccea15a35628467dc675b793b6d8bc9dc75645ff7400

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\MbClient.dll

Filesize
196KB

MD5
59acec969ffeafba1bd0a8de3f933833

SHA1
ba2d6f092cfb9a0c53c4a2c85e87d23cf7accee6

SHA256
7f11cbdb58400bf35f456735d62ab7e84361142a22076d595fec0a27a0c09920

SHA512
f11865b3d0e76277a3c86b5be7ffd34d43ef68a7a1855b4af6dc7e986980d8973c49dea7676b83b359e6ccea15a35628467dc675b793b6d8bc9dc75645ff7400

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\MbClient.dll

Filesize
196KB

MD5
59acec969ffeafba1bd0a8de3f933833

SHA1
ba2d6f092cfb9a0c53c4a2c85e87d23cf7accee6

SHA256
7f11cbdb58400bf35f456735d62ab7e84361142a22076d595fec0a27a0c09920

SHA512
f11865b3d0e76277a3c86b5be7ffd34d43ef68a7a1855b4af6dc7e986980d8973c49dea7676b83b359e6ccea15a35628467dc675b793b6d8bc9dc75645ff7400

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\SMClient.dll

Filesize
37.7MB

MD5
06dec030f09edb0a35645277215fff4e

SHA1
9c62763311cb8b33af23ea6210cde24d79d5c4e2

SHA256
3a74626c27d5aa43bba0b3825074930d983da942aeef6574389ed0e214d37239

SHA512
a92f0aa36fe6d3f5b7bc657ce9ad0cc27a717de8bbd07cdc6b99dc62de6b49ff666fde139ad58f9218580847c2e3a1dc7453cbf72d7fed2a6b15cf65e5373cc9

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\SMClient.dll

Filesize
37.7MB

MD5
06dec030f09edb0a35645277215fff4e

SHA1
9c62763311cb8b33af23ea6210cde24d79d5c4e2

SHA256
3a74626c27d5aa43bba0b3825074930d983da942aeef6574389ed0e214d37239

SHA512
a92f0aa36fe6d3f5b7bc657ce9ad0cc27a717de8bbd07cdc6b99dc62de6b49ff666fde139ad58f9218580847c2e3a1dc7453cbf72d7fed2a6b15cf65e5373cc9

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\SMClient.dll

Filesize
37.7MB

MD5
06dec030f09edb0a35645277215fff4e

SHA1
9c62763311cb8b33af23ea6210cde24d79d5c4e2

SHA256
3a74626c27d5aa43bba0b3825074930d983da942aeef6574389ed0e214d37239

SHA512
a92f0aa36fe6d3f5b7bc657ce9ad0cc27a717de8bbd07cdc6b99dc62de6b49ff666fde139ad58f9218580847c2e3a1dc7453cbf72d7fed2a6b15cf65e5373cc9

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\StartupOptions.xml

Filesize
1KB

MD5
dcd02122ff75c24cee25500ad3a3d812

SHA1
76e733331554e9aaff6ccf0df22931db9ca852a4

SHA256
059280e2b72f31d15fe6b83b9362be359ebd2f16a5de4763a21d0885183854ba

SHA512
e7fb7605a3d46b302a977b21e14743a5d367ffd50a9ab339108a356894b5d75c7c2693609c9aed84cb8aeaddeb041dc018428ce20f7bc9bbc984b431db58ff21

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\libmwp-2.0.dll

Filesize
33.8MB

MD5
9a5a6bec397d50064962c7b08f295aa9

SHA1
4ec4d6857edadec3d810f8496690ea81f080c0c3

SHA256
3ac5593edf44a93dda10a5bea109c0a09a57aa83065c7bb6a3451c10ce154dfe

SHA512
a1407e4115c9dac754d559f94cd2ed66203827690437bdf2b551f24b21908ff6064127eed24e08e053a3fbbd9d5cb60794100778ab67a1cfe97e059f206f94bb

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\libmwp-2.0.dll

Filesize
33.8MB

MD5
9a5a6bec397d50064962c7b08f295aa9

SHA1
4ec4d6857edadec3d810f8496690ea81f080c0c3

SHA256
3ac5593edf44a93dda10a5bea109c0a09a57aa83065c7bb6a3451c10ce154dfe

SHA512
a1407e4115c9dac754d559f94cd2ed66203827690437bdf2b551f24b21908ff6064127eed24e08e053a3fbbd9d5cb60794100778ab67a1cfe97e059f206f94bb

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\manage

Filesize
2.4MB

MD5
79c513693d39b2121019e572d4ce4aaa

SHA1
b61b04c71df5a8217510abdd7e76a8218056cb0f

SHA256
765f3d4083faead4c36e9b7f6c631d78ba325643502bd7d1ccd3f811e5f47860

SHA512
9572040d3fa29a31dbd773ab32c1607c8d94e4f3bef24c6104a003aaac936f32ec05c974966a82f49d31dc2766aa2e4ed30c03ac356567fc023031d13dd5b3bd

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\tracegen.exe

Filesize
1008KB

MD5
f0ce1fc1ef4cdae853428faf62c7e0bb

SHA1
cc68f5f4922095219de0ed10c39e225ddd1bd99c

SHA256
1381c53093d2bc83d20e466a0e07f7d6963347862283d64582aa9960c187ad75

SHA512
d8301bc03acd774d8216cbf95e6fa59d220c5d7a6182deafcc8d9af78fa53fb89964128b81f2b6247ec48a44c538cd604159415b69754368e3dcf62b98776837

Download Submit
C:\Users\Admin\AppData\Roaming\FX Draw Tools\tracegen.exe

Filesize
1008KB

MD5
f0ce1fc1ef4cdae853428faf62c7e0bb

SHA1
cc68f5f4922095219de0ed10c39e225ddd1bd99c

SHA256
1381c53093d2bc83d20e466a0e07f7d6963347862283d64582aa9960c187ad75

SHA512
d8301bc03acd774d8216cbf95e6fa59d220c5d7a6182deafcc8d9af78fa53fb89964128b81f2b6247ec48a44c538cd604159415b69754368e3dcf62b98776837

Download Submit
memory/4184-154-0x00000000064C0000-0x000000000B5C0000-memory.dmp

Filesize
81.0MB

Download
memory/4588-134-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4588-130-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4716-124-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4716-126-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download