Overview

overview

10

Static

static

3

DCRatBuild.exe

windows10-2004-x64

10

Resubmissions

11-01-2025 22:42

250111-2m5qhavqar 10

11-01-2025 22:39

250111-2lgbhsvpdp 10

11-01-2025 22:29

250111-2effmssnft 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 22:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    3.7MB

  • MD5

    072756d824448388227ca413cf9b30fb

  • SHA1

    3774a14ae84e955c57a35f82da833d46cea22ed3

  • SHA256

    0043be0527169c370619ab57df3eefb66f7742e90449cfc952489d70fdbca59a

  • SHA512

    2a3953faddf9b6037a0a34499ac11011e4c22d931ba9e4ab174b0ebd7e1c1bade9546a6b970f6280402905159b42bcdc60c92a91e8dd39cd9ff14ddf73638a4d

  • SSDEEP

    98304:yQpUIa1ishqq/x4XR09rQVkREwySMEX+y:xpUIa0KFl9rnRHPZXF

Score
10/10
dcratdiscoveryevasionexecutioninfostealerpersistenceransomwarerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comdll\4exWDwzwdGdIoLb6OOTKDeE5vKnmRp2hJNj7qr4y3yRCw2tu43CBSny6KK.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\comdll\4j9mXD4SFtpK7TbDoMbaMV7rHFTx27gv5loxd61ax9TZaUUhHC.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:5112
        • C:\comdll\reviewdll.exe
          "C:\comdll/reviewdll.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tl4w2psy\tl4w2psy.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3724
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD26.tmp" "c:\Windows\System32\CSC33B138F66A504C71A9B745C4C41366E.TMP"
              6⤵
                PID:2016
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\cmd.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1468
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1284
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2860
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\explorer.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3912
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2852
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\reviewdll.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:772
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPaWLaysKG.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4124
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4204
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:4236
                  • C:\Recovery\WindowsRE\RuntimeBroker.exe
                    "C:\Recovery\WindowsRE\RuntimeBroker.exe"
                    6⤵
                    • Executes dropped EXE
                    • Sets desktop wallpaper using registry
                    • Modifies Control Panel
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:4560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:464
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2260
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3988
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3412
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4240
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4808
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "reviewdllr" /sc MINUTE /mo 9 /tr "'C:\comdll\reviewdll.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "reviewdll" /sc ONLOGON /tr "'C:\comdll\reviewdll.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "reviewdllr" /sc MINUTE /mo 12 /tr "'C:\comdll\reviewdll.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4624

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          62623d22bd9e037191765d5083ce16a3

          SHA1

          4a07da6872672f715a4780513d95ed8ddeefd259

          SHA256

          95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

          SHA512

          9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          d28a889fd956d5cb3accfbaf1143eb6f

          SHA1

          157ba54b365341f8ff06707d996b3635da8446f7

          SHA256

          21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

          SHA512

          0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESBD26.tmp
          Filesize

          1KB

          MD5

          ad367ba77ac3cc1d6aef78a75c6cb738

          SHA1

          f4862adf6f4e9407f68982feeda69c09339734aa

          SHA256

          bde687f7e1908e2164d858462feae4059dfca4065fe522b87ea41601e7a47851

          SHA512

          983dce753be668a75c903aaaaba9426f4ae170133b2f1d55174f6ba49d0eec2d4864339a0cd47fe05a224aea6b78cd7d4800f81a68e3bef77b36e52a135681a8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WPaWLaysKG.bat
          Filesize

          215B

          MD5

          43b9507a23d16389d63bfed55de0c1a2

          SHA1

          046c0485f46b33dd229bc3e0d6d88bd16b84ea87

          SHA256

          220fc789ce7e4af651c00f22abeb12e66ee5351e571c02e938b6a3e25b849ad7

          SHA512

          5575dbe86aae1b53236930b2af8c9fe7c3d1f25e49d1d8d301c7d8d972a3bbb43d967dda88ec02b06bc2599b7cb2e851d6c42c8dcf6b5763b680361521ae952e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgz4utb5.0ah.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\comdll\4exWDwzwdGdIoLb6OOTKDeE5vKnmRp2hJNj7qr4y3yRCw2tu43CBSny6KK.vbe
          Filesize

          234B

          MD5

          46d7e19eabaed1a2f85b8a8424dac416

          SHA1

          e06d990343b40ba693a9d791bc32822758e9e460

          SHA256

          a3ee2e31da36005b292231d790c3103560ca7e9aa2f106ce8357b28e480d17fe

          SHA512

          e99691e90149c41c00f4cb7c1b0839ce4c5bc3cee49f6275887404d3807e0c0af04901b7813231576e2cd1226aeb3a6c025bdee7d67bfc35cd7e33cf33b78a49

          Download Submit

        • C:\comdll\4j9mXD4SFtpK7TbDoMbaMV7rHFTx27gv5loxd61ax9TZaUUhHC.bat
          Filesize

          187B

          MD5

          eb4292c364e92458c77e875e2c7df7da

          SHA1

          b53e0db95ddb58ecf519ede0d7a976a52516eaed

          SHA256

          3ab7ad885c7422ef507d9878ea1b371c9b0c7e6bf3f93dd0a576c8d3bc850280

          SHA512

          0fb3aeae473d6a6a805ed580833d6b6dd5a8e3c81500b2c054a3d6c22e75425118f18f8ea8a81daac2c4979e75ecff6979bd1c2b5becf88982b8d04abf9fae01

          Download Submit

        • C:\comdll\reviewdll.exe
          Filesize

          3.4MB

          MD5

          278bb3a4ab923948a0c4f83edd2dee9c

          SHA1

          8852d6a67748a8656ddf19cee916b155044680bd

          SHA256

          b8046f1e47f1673806a5b2938f5194e2984a7c385a13ff8c9daeb378e5d66793

          SHA512

          8b8db76161204c482474b010b2a5605d5d4e9543d67c4dac1d643860351e12eabeca733fbfc30011447aff660be27e3d80d48e88548408c4a8645e5bcb94c26c

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\tl4w2psy\tl4w2psy.0.cs
          Filesize

          384B

          MD5

          41dc37eb9bddc987bfc1ccdd36fa7b44

          SHA1

          42c3412c4f316e6eeb5ed8608eedb7e88cdd2ba5

          SHA256

          887d3a12f9de60211ce313bb5922163c382c6d3b341a7ca8383ca31ce1db78c9

          SHA512

          2de800bc7ae6871e13236351766ab7debe926294620a24ecab57a0fa07cb90b4904f63b57257eaf9fc3977eaf4465578b2fc7d426cda1fee0a816af158e71775

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\tl4w2psy\tl4w2psy.cmdline
          Filesize

          235B

          MD5

          bb7e8b79c78cf35638cc6b92bf78b513

          SHA1

          0632356743c508b752158617dcdab66221af668c

          SHA256

          031b43390177c7ffd1d69088c0bb0e453bcda3c1c8e880d1499c331d618c430c

          SHA512

          933880facb467b789eb234b67770d797c187ea4b9ca9e12e74aa3cd76f71396a0c16aa28f2f6903ff4a665000fb89696549c5d9f36e80a7efd2e4ca0cc377d39

          Download Submit

        • \??\c:\Windows\System32\CSC33B138F66A504C71A9B745C4C41366E.TMP
          Filesize

          1KB

          MD5

          82a7b8ef3bc275711e3b27c6df93c7ff

          SHA1

          bdac909f26475c94c74145576bcf22adb0f8203c

          SHA256

          582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124

          SHA512

          f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

          Download Submit

        • memory/1284-84-0x0000016AD2A90000-0x0000016AD2AB2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2672-25-0x0000000003080000-0x0000000003090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-33-0x000000001D060000-0x000000001D076000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2672-36-0x000000001D5D0000-0x000000001DAF8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/2672-38-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2672-40-0x000000001B9F0000-0x000000001BA00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-42-0x000000001BA70000-0x000000001BA80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-44-0x000000001D100000-0x000000001D15A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2672-46-0x000000001D040000-0x000000001D04E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2672-48-0x000000001D050000-0x000000001D060000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-50-0x000000001D0A0000-0x000000001D0AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2672-52-0x000000001D0D0000-0x000000001D0E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2672-54-0x000000001D0B0000-0x000000001D0BC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2672-56-0x000000001D3B0000-0x000000001D3FE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2672-35-0x000000001D080000-0x000000001D092000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2672-31-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-29-0x000000001BA50000-0x000000001BA62000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2672-27-0x00000000031D0000-0x00000000031DE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2672-23-0x00000000017C0000-0x00000000017D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-21-0x000000001B9D0000-0x000000001B9E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2672-109-0x000000001DC00000-0x000000001DCCD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/2672-19-0x00000000017B0000-0x00000000017C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2672-17-0x000000001BA00000-0x000000001BA50000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2672-16-0x00000000031B0000-0x00000000031CC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2672-14-0x0000000001610000-0x000000000161E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2672-12-0x0000000000AD0000-0x0000000000E36000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4560-179-0x000000001E2B0000-0x000000001E37D000-memory.dmp

          Filesize

          820KB

          Download