06dc7b7e08aa008ccc34348fb7038cd27b2bb452e8c2d4c9cb999bd9c761b4b4

Analysis

max time kernel
149s
max time network
161s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magick Checker Setup.exe
Size

6.8MB
MD5

fcb2050edae5d41df79fc7908ea83c6d
SHA1

c8f76749c884179deca40e79f1c512e7d64cce05
SHA256

06dc7b7e08aa008ccc34348fb7038cd27b2bb452e8c2d4c9cb999bd9c761b4b4
SHA512

f364ccb2c96b01ff27ee9fe6b606664bca45122fde36ff2aeff78bec2a82c4d3d2422a641d0a93f14217fc2153293d75bec732239ad97653a69efda9af4f0de9
SSDEEP

196608:OczD3cGXfjlZ+gkb7CWKq90PEhEY/smaz8:L3HXrlzkf5pXKz8

Score

9^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Magick Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Magick Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Magick Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Magick Checker.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Magick Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Magick Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Magick Checker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Magick Checker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Magick Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Magick Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Magick Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Magick Launcher.exe

Executes dropped EXE 5 IoCs

pid	Process
1184	Magick Checker Setup.tmp
2756	Magick Launcher.exe
964	Magick Launcher.exe
456	Magick Launcher.exe
4008	Magick Checker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magick Launcher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magick Launcher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magick Launcher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magick Checker.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Magick Checker.exe
File opened for modification	\??\PhysicalDrive0	Magick Launcher.exe
File opened for modification	\??\PhysicalDrive0	Magick Launcher.exe
File opened for modification	\??\PhysicalDrive0	Magick Launcher.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
964	Magick Launcher.exe
2756	Magick Launcher.exe
456	Magick Launcher.exe
4008	Magick Checker.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Magick Checker\unins000.dat	Magick Checker Setup.tmp
File created	C:\Program Files (x86)\Magick Checker\is-V80EK.tmp	Magick Checker Setup.tmp
File created	C:\Program Files (x86)\Magick Checker\is-VVCBP.tmp	Magick Checker Setup.tmp
File created	C:\Program Files (x86)\Magick Checker\Magick Checker.exe	Magick Launcher.exe
File created	C:\Program Files (x86)\Magick Checker\Magick Checker.exe	Magick Launcher.exe
File created	C:\Program Files (x86)\Magick Checker\Updater.bin	Magick Launcher.exe
File opened for modification	C:\Program Files (x86)\Magick Checker\Magick Launcher.exe	Magick Checker Setup.tmp
File opened for modification	C:\Program Files (x86)\Magick Checker\unins000.dat	Magick Checker Setup.tmp
File created	C:\Program Files (x86)\Magick Checker\Updater.bin	Magick Launcher.exe
File opened for modification	C:\Program Files (x86)\Magick Checker\Updater.bin	Magick Launcher.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\is-CCCGS.tmp	Magick Checker Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1184	Magick Checker Setup.tmp
1184	Magick Checker Setup.tmp
964	Magick Launcher.exe
964	Magick Launcher.exe
2756	Magick Launcher.exe
2756	Magick Launcher.exe
5012	powershell.exe
5012	powershell.exe
2200	powershell.exe
2200	powershell.exe
964	Magick Launcher.exe
456	Magick Launcher.exe
456	Magick Launcher.exe
2756	Magick Launcher.exe
1840	powershell.exe
1840	powershell.exe
964	Magick Launcher.exe
2756	Magick Launcher.exe
456	Magick Launcher.exe
4008	Magick Checker.exe
4008	Magick Checker.exe
3168	powershell.exe
3168	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	Magick Launcher.exe
Token: SeDebugPrivilege	2756	Magick Launcher.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	456	Magick Launcher.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	4008	Magick Checker.exe
Token: SeDebugPrivilege	3168	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1184	Magick Checker Setup.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2756	Magick Launcher.exe
964	Magick Launcher.exe
456	Magick Launcher.exe
4008	Magick Checker.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1184	2044	Magick Checker Setup.exe	80
PID 2044 wrote to memory of 1184	2044	Magick Checker Setup.exe	80
PID 2044 wrote to memory of 1184	2044	Magick Checker Setup.exe	80
PID 964 wrote to memory of 5012	964	Magick Launcher.exe	87
PID 964 wrote to memory of 5012	964	Magick Launcher.exe	87
PID 964 wrote to memory of 5012	964	Magick Launcher.exe	87
PID 2756 wrote to memory of 2200	2756	Magick Launcher.exe	89
PID 2756 wrote to memory of 2200	2756	Magick Launcher.exe	89
PID 2756 wrote to memory of 2200	2756	Magick Launcher.exe	89
PID 456 wrote to memory of 1840	456	Magick Launcher.exe	92
PID 456 wrote to memory of 1840	456	Magick Launcher.exe	92
PID 456 wrote to memory of 1840	456	Magick Launcher.exe	92
PID 964 wrote to memory of 4008	964	Magick Launcher.exe	94
PID 964 wrote to memory of 4008	964	Magick Launcher.exe	94
PID 964 wrote to memory of 4008	964	Magick Launcher.exe	94
PID 4008 wrote to memory of 3168	4008	Magick Checker.exe	95
PID 4008 wrote to memory of 3168	4008	Magick Checker.exe	95
PID 4008 wrote to memory of 3168	4008	Magick Checker.exe	95

C:\Users\Admin\AppData\Local\Temp\Magick Checker Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Magick Checker Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\is-31308.tmp\Magick Checker Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-31308.tmp\Magick Checker Setup.tmp" /SL5="$50068,6253121,793600,C:\Users\Admin\AppData\Local\Temp\Magick Checker Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3668

C:\Program Files (x86)\Magick Checker\Magick Launcher.exe
"C:\Program Files (x86)\Magick Checker\Magick Launcher.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Get-MpComputerStatus | Select-Object -ExpandProperty RealTimeProtectionEnabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200

C:\Program Files (x86)\Magick Checker\Magick Launcher.exe
"C:\Program Files (x86)\Magick Checker\Magick Launcher.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Get-MpComputerStatus | Select-Object -ExpandProperty RealTimeProtectionEnabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Program Files (x86)\Magick Checker\Magick Checker.exe
  "C:\Program Files (x86)\Magick Checker\Magick Checker.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Get-MpComputerStatus | Select-Object -ExpandProperty RealTimeProtectionEnabled
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3168

C:\Program Files (x86)\Magick Checker\Magick Launcher.exe
"C:\Program Files (x86)\Magick Checker\Magick Launcher.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Get-MpComputerStatus | Select-Object -ExpandProperty RealTimeProtectionEnabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Magick Checker\Magick Checker.exe

Filesize
8.8MB

MD5
20c976cdfe440999163c519a8844b276

SHA1
a4fea5689010f80cf695c1e7633a9c8c47336f3f

SHA256
5d57bb4a52ae2486e7febd3927579bb47eba9d82cb933874496a88f7a38ef8cd

SHA512
ae50eb47da03ca0845cd3a1fe518d30bd59139bdaed025bbfca3af54e5ef6c3e90fb4dd0381ad831f8872613d62b34c3ad103e31a556c166113c97e9394af660

Download Submit
C:\Program Files (x86)\Magick Checker\Magick Checker.exe

Filesize
3.4MB

MD5
505cce6b91365222c86238fe03ed8e5e

SHA1
9777f437fbfad35d1cc2597a66356cd9f25c30f2

SHA256
183ff1c7eb7ce6cf5861d9b91893ccefcf478a40caf696d5ce88caa25bb82d4e

SHA512
91da5e1d8d9a89db7918db2c15f690135cff56d10c4cc9fda2596abbd22135e4a46546db35bd3f213b78ccca0ab534016749283bb8b4825e7045b75841c5dcf3

Download Submit
C:\Program Files (x86)\Magick Checker\Magick Checker.exe

Filesize
704KB

MD5
de77648c64cfb685fa1b450b7de07c83

SHA1
424fcc827b01d593cf8916bec46ed87f1f3c7139

SHA256
bfd2b615e90312d3d80f430eae14aa3d165a100566d315518f9238be4369021b

SHA512
d9fd88e2e3cce88368efc0b942b82bce47533eabb156e4f72dbec9c507d4ddb062d23064e7de55a70d06dc0d5a963876c2fa4110e35c8f398fcac3c549c3d220

Download Submit
C:\Program Files (x86)\Magick Checker\Magick Launcher.exe

Filesize
2.8MB

MD5
2e10de3f20995f1d512c23c5699f4081

SHA1
4073a7f4f3c883b926dd9962f6ab7789e2e5ef17

SHA256
56ec00f9347977a627fc8f6ac8a9f9ef67ba5480e0c026603bd4dee3f6521ff2

SHA512
410d85db9b50acb62bad6ba567ec8c17dde0f767253474cc106cc5edbde299e88dff361149269fc4f4eb2cd07a5a88b6680d49676419f8c848f3dc0e46c41bb8

Download Submit
C:\Program Files (x86)\Magick Checker\Magick Launcher.exe

Filesize
5.0MB

MD5
8380f5797e9634985f9c44995f1920b1

SHA1
329e5eb9e707e322ae35973b4de5e9992df1e2e3

SHA256
a28925a91af8dee172554bdbf02c2ffaa8fe463998ef97fdf2795ab36d1625af

SHA512
f66631b0e6a39009a28710ea3086d3ee7e83492daa2ae8f7f0730f7b02088d9e47c319d1380f1ea17797de4a6426d0edb62a5126b990db831689198c650e87ea

Download Submit
C:\Program Files (x86)\Magick Checker\Magick Launcher.exe

Filesize
3.9MB

MD5
3de8adaf5440886c61b4de3ee5d7a617

SHA1
a10d9e0edf12879a64340d5e355e83aeaa79fc2a

SHA256
faac18c7aa2a90a59a21fb92c7ec418200c8dac61a70c454a20f443bab3d9483

SHA512
85604303b969aae40ba03a13284816a7b84afde8a6815f9357c9fc367a1a42f3d3e4cc1f0477dea32bea1e6e503b7aef8eef5b53bdc129990cc3167df54e1f71

Download Submit
C:\Program Files (x86)\Magick Checker\Magick Launcher.exe

Filesize
5.0MB

MD5
65cfbd0266170891620def95020ed2fc

SHA1
9a1acdbca813f50f7d4d9be53aba4d8cdfc7823a

SHA256
568822e9c645be3622ac1bcfcc7f134e91a913bd6688d55ea430cc5fbc8f79a3

SHA512
992f8ebbcc445730033973125a92cebaf0ecdfb0d1deea6cb6a8e3cf380718bd1fe277ae7e3ec6637e2178e6fa943332c358f1712d165a0ef3501a8967e66d09

Download Submit
C:\Program Files (x86)\Magick Checker\Magick Launcher.exe

Filesize
4.5MB

MD5
809cdb934f2419a835b9a5d70e70bb39

SHA1
66bb5cc0daea41f7db42dabad18ddc30e4cc7097

SHA256
3c94436a4bfbf2357cbcb574b84a41b9ce2d635dd3a63d7eb9e85222075b9c07

SHA512
89996ab683b2e5409f68c6feb22c96828399ce5838130d68e6a634feaa80fbcdc1f42088031a94564c77583c8f8667bae7e3d6c239f1b5fa1171df46cdac1352

Download Submit
C:\Program Files (x86)\Magick Checker\Updater.bin

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\mntemp

Filesize
16B

MD5
ef746562111894462933ef3d789f671b

SHA1
a8e046b7bfae9e4acd185199b8e66a400067cc20

SHA256
6245aa6023b9e3aaf4ab0d6b7256f6be28752949c553808939644cf89ee37d15

SHA512
e07dbae3eb1b926cb3ad17c72bc77527c062e521c2026ceb6142bfd33b6100254f7aae389a446bfe06e258e816e700652ceefc6374e53877018c338d9118135f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bf86ce16065eb2ab1f5c5a10589ed19c

SHA1
7dfe71f34dba4e1a323d1fb447d91f834924733a

SHA256
568b6d7d5cdd8f1035d58b94e8c50f5a7417ffd3afb121018a826e570802f14b

SHA512
0e52f9b1642908601bf41ff2b3c173b7e83cc0a8bef66a4abaf687987a3c52f7cd0acc01f248cfbee44af01eaa24cec97da8d3c30e8dbf1e063ef9852ecb9f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d99a00430d0ac09c4c287808613408f9

SHA1
dda91eb23753b9eff1bbe1f5c3fc3ad2ffb2e027

SHA256
fc3c72fe603e2d9cf1c13842e28bdfdb87b65bb5040685692a69286cc047d05a

SHA512
98e3a3c6dc5da31330fc289e61a36437f1b4e5cd4dd8a49b0365986592583cb9a48b4bef9d48c90d8dcc552b65792d35d543da144e68098bd08b661c9cc9b1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kqopepof.va1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31308.tmp\Magick Checker Setup.tmp

Filesize
3.0MB

MD5
5a44dc60dcfa0abe9b72425280da431f

SHA1
7e7c5843c58bbcd473ad1e8a19ff6187159b7d09

SHA256
351a7744533a39df7c2a033500f1754861bb5ab199849318cd4e923794e746e1

SHA512
75d19b6f84109c517653df11508b94e7c6b70d752ba6bdbc3f6a623822ad471caa02e5ac3d50350cade7cbe31462f6c7f32a4130a3e9191c4289a6fd5124555c

Download Submit
C:\WINDOWS\FONTS\MONOTYPE CORSIVA.TTF

Filesize
153KB

MD5
b98f57ac686fc135914a844ec0ce8d49

SHA1
77ddc3e97898d7363ba296925181ac5430c38cb1

SHA256
a6f6dacb871be365ad93fe1aab09332f768cd2aa35fdfca8e0053a38f5a2662b

SHA512
5602a76d11b9fbbe97b7ede0ff0757d9beefd5efc329252d76b927569bc66ebe677f40cc3160bb12ee6ddb9461ad6df881690452554aab929bb24288261788ca

Download Submit
memory/456-139-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/456-140-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/456-142-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/964-54-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/964-38-0x00000000775B6000-0x00000000775B8000-memory.dmp

Filesize
8KB

Download
memory/964-46-0x0000000006440000-0x00000000064DC000-memory.dmp

Filesize
624KB

Download
memory/964-47-0x0000000006A90000-0x0000000007036000-memory.dmp

Filesize
5.6MB

Download
memory/964-48-0x0000000006580000-0x0000000006612000-memory.dmp

Filesize
584KB

Download
memory/964-49-0x0000000006510000-0x000000000651A000-memory.dmp

Filesize
40KB

Download
memory/964-50-0x0000000006750000-0x00000000067A6000-memory.dmp

Filesize
344KB

Download
memory/964-113-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/964-100-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/964-44-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/964-119-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/964-36-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/964-37-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/964-63-0x0000000006740000-0x0000000006750000-memory.dmp

Filesize
64KB

Download
memory/964-39-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/964-141-0x0000000006740000-0x0000000006750000-memory.dmp

Filesize
64KB

Download
memory/964-45-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/1184-6-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1184-9-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1184-25-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2044-8-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2044-1-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2044-26-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2200-120-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2200-87-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-121-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/2200-84-0x0000000073E40000-0x00000000745F1000-memory.dmp

Filesize
7.7MB

Download
memory/2200-115-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-86-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/2756-30-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/2756-29-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/2756-32-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/2756-35-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/2756-58-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/2756-59-0x0000000000CF0000-0x0000000001A00000-memory.dmp

Filesize
13.1MB

Download
memory/2756-62-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/2756-68-0x0000000076420000-0x0000000076510000-memory.dmp

Filesize
960KB

Download
memory/2756-82-0x0000000006060000-0x0000000006070000-memory.dmp

Filesize
64KB

Download
memory/5012-70-0x0000000004FF0000-0x0000000005012000-memory.dmp

Filesize
136KB

Download
memory/5012-133-0x0000000007430000-0x0000000007438000-memory.dmp

Filesize
32KB

Download
memory/5012-114-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/5012-112-0x0000000007730000-0x0000000007DAA000-memory.dmp

Filesize
6.5MB

Download
memory/5012-116-0x0000000007170000-0x000000000717A000-memory.dmp

Filesize
40KB

Download
memory/5012-117-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/5012-81-0x00000000058D0000-0x0000000005C27000-memory.dmp

Filesize
3.3MB

Download
memory/5012-69-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/5012-111-0x0000000006FB0000-0x0000000007054000-memory.dmp

Filesize
656KB

Download
memory/5012-118-0x0000000007300000-0x0000000007311000-memory.dmp

Filesize
68KB

Download
memory/5012-130-0x0000000007330000-0x000000000733E000-memory.dmp

Filesize
56KB

Download
memory/5012-131-0x0000000007340000-0x0000000007355000-memory.dmp

Filesize
84KB

Download
memory/5012-132-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/5012-71-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/5012-136-0x0000000073E40000-0x00000000745F1000-memory.dmp

Filesize
7.7MB

Download
memory/5012-109-0x0000000006D80000-0x0000000006D9E000-memory.dmp

Filesize
120KB

Download
memory/5012-67-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/5012-65-0x0000000073E40000-0x00000000745F1000-memory.dmp

Filesize
7.7MB

Download
memory/5012-66-0x00000000050D0000-0x00000000056FA000-memory.dmp

Filesize
6.2MB

Download
memory/5012-64-0x00000000028E0000-0x0000000002916000-memory.dmp

Filesize
216KB

Download
memory/5012-110-0x000000007F170000-0x000000007F180000-memory.dmp

Filesize
64KB

Download
memory/5012-74-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/5012-99-0x000000006FE00000-0x000000006FE4C000-memory.dmp

Filesize
304KB

Download
memory/5012-98-0x0000000006D40000-0x0000000006D74000-memory.dmp

Filesize
208KB

Download
memory/5012-97-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/5012-88-0x0000000005E50000-0x0000000005E9C000-memory.dmp

Filesize
304KB

Download
memory/5012-85-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

Filesize
120KB

Download