Overview

overview

10

Static

static

3

afe966f7d7...1N.exe

windows7-x64

10

afe966f7d7...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe

  • Size

    1.9MB

  • MD5

    38c14805a17436bc0118dfaa6547eec0

  • SHA1

    77ee261fd0d14577058bd1114bfd4a34aa0990e6

  • SHA256

    afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081

  • SHA512

    bfec5fa0c4d45ebcc26bf18f3ccf0ea9b6bc6de62ce1ddfc012ef69f42c2bf45d90a3dc5f6537e62e6d0e30247eb0c2b5495249b01d0b158b6a73dd29e657754

  • SSDEEP

    24576:W7/weHc1lJq2tB/pw97SSwEWJSwDFrs7+6pa7gv6a9MrYetY5Q62xo2CPV84uMY1:qqpji7SxFgz7XM7metv6s2N8W

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe
    "C:\Users\Admin\AppData\Local\Temp\afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddjce1jp\ddjce1jp.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E.tmp" "c:\Windows\System32\CSC685A51B84928445FB710A1E5C0EE7DD3.TMP"
        3⤵
          PID:1864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:996
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:588
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:916
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:816
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WMIADAP.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bCyKkots12.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:3024
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2996
          • C:\Users\Admin\AppData\Local\Temp\afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe
            "C:\Users\Admin\AppData\Local\Temp\afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2676
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2244
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:332
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081Na" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2200
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1440
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081Na" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081N.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2196

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        Filesize

        1.9MB

        MD5

        38c14805a17436bc0118dfaa6547eec0

        SHA1

        77ee261fd0d14577058bd1114bfd4a34aa0990e6

        SHA256

        afe966f7d7d027792cc718eba58d9ee3e7b2929e9cb3eed8902537d8c375e081

        SHA512

        bfec5fa0c4d45ebcc26bf18f3ccf0ea9b6bc6de62ce1ddfc012ef69f42c2bf45d90a3dc5f6537e62e6d0e30247eb0c2b5495249b01d0b158b6a73dd29e657754

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES5E.tmp
        Filesize

        1KB

        MD5

        bdfddd8b50f363e7a32baab1de69a583

        SHA1

        d806aae10ebe017dd9c9cb77fed50d655728ed47

        SHA256

        7e1cf0ee30681949e87d1c6364ad9f3c17fa599784f82bc613c9bdc16507f10d

        SHA512

        e40d720c44f2be99227caeb5226e609c7fa274436b9dbd2a050f8bf65fc77d7a9502499c3b9f567bcf3029d9f4f5fafa109b78f213644df95cb3c0f2a0d4ebb9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bCyKkots12.bat
        Filesize

        231B

        MD5

        b4f7aa1299251f289f2130fb4899a70a

        SHA1

        8c88ae53cf29cbd59c68ef1ea2a5bba5b736b71f

        SHA256

        80651dcd7ee8d1b4a78959abc0f16f2a66137918a95064366522b8c7acb63f69

        SHA512

        f2dae4f40a7c27478c944089c24500dddb47aa794ea67371881eb53dd54c95adb90585ccf70bc618769411430fe73debafe18d2915315dc3aee7b201e6272d36

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8H01JCG3S7MD9KCI5323.temp
        Filesize

        7KB

        MD5

        bc5e0af80f7d8ead9c227f97ad359ad4

        SHA1

        463ac8aac993284363cf173c5349ee5931a596cd

        SHA256

        24b8033f5496602dba57da8edf9bbe67e94fed3c5a080cc7cd5004f7bf70b5e3

        SHA512

        acc853dbf62ee9e8630ff1d87b7610ccb7deebe56948c672445668c913f5620ceaa3e12e1a492267b34aa3c112fe9170b8c14008e947b73d5773061432b632ee

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ddjce1jp\ddjce1jp.0.cs
        Filesize

        392B

        MD5

        ceaed59eeac03431d20f0bd67f32750f

        SHA1

        8c2373b565b78939c1569eabe64e672c2faf11d7

        SHA256

        a4e534d4f3680e35a8c7e413a02b89667c5dfab35744ccf850a23e6651da24c8

        SHA512

        8e3df332687424479dfe9da25c409dbcf9258678af6cc1d0c8768c236ee1663c23ef41b26ead34b5ec3a1f833fe66fba251948af3f945eecaf557ead47583fe7

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ddjce1jp\ddjce1jp.cmdline
        Filesize

        235B

        MD5

        209e6d90c9388d04febb43209c3e0b12

        SHA1

        47d738f2ad28f19df99bce6ca22181f0547579a2

        SHA256

        05e7e93c854156d85d721970bfb6680e02891ef6400b613517ebccd2014fd6de

        SHA512

        e86f0f039b5cbf9c41746f2145c955797fba759615f0a517a0efe6b5aa647f016ef38c9cbf93a9a58a325a20cd8c4a05c836bf586fdef21673603f54136b22a4

        Download Submit

      • \??\c:\Windows\System32\CSC685A51B84928445FB710A1E5C0EE7DD3.TMP
        Filesize

        1KB

        MD5

        70046c6c63d509bb29450ef32b59dda3

        SHA1

        26802b73997ee22a7cd3d07ae77016969603cf00

        SHA256

        dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

        SHA512

        d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

        Download Submit

      • memory/1056-32-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-7-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-12-0x0000000002210000-0x0000000002228000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1056-14-0x0000000000620000-0x000000000062E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1056-16-0x0000000000630000-0x000000000063E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1056-18-0x00000000006E0000-0x00000000006EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1056-19-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-3-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-31-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-4-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-8-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-10-0x00000000006C0000-0x00000000006DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1056-6-0x0000000000610000-0x000000000061E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1056-2-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-0-0x000007FEF4F13000-0x000007FEF4F14000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1056-57-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-56-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1056-1-0x0000000000300000-0x00000000004F2000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1804-54-0x000000001B730000-0x000000001BA12000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1804-55-0x00000000026D0000-0x00000000026D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2272-143-0x00000000009E0000-0x0000000000BD2000-memory.dmp

        Filesize

        1.9MB

        Download