goldenspy | 2f65238e7b3a8ddd719fb19a506cd1d964fc7b5cab6f3f4e95235c235cac2190

Analysis

max time kernel
161s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
04-02-2022 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edadf30df18e6a7ea190041cf3bd4a0b.exe
Size

366KB
MD5

edadf30df18e6a7ea190041cf3bd4a0b
SHA1

b33c269642bf42b8c71988b9ddbe298e00b65ef1
SHA256

3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655
SHA512

0a22b64f763aa5bf471e2b889899665fa060ae4bd2288c2dd07731aa7411c7d6c2be0c0e3d619adcf064a1815f4a9f641815076970bb690d1ef9390811a1a810

Score

10^/10

goldenspy backdoor discovery persistence suricata trojan

Malware Config

Signatures

GoldenSpy
Backdoor spotted in June 2020 being distributed with the Chinese "Intelligent Tax" software.
trojan backdoor goldenspy

GoldenSpy Payload 8 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload

suricata: ET MALWARE GoldenSpy Domain Observed
suricata: ET MALWARE GoldenSpy Domain Observed
suricata
Executes dropped EXE 6 IoCs

Processes:

svm.exesvmm.exesvm.exesvmm.exesvm.exesvmm.exe

pid process

3360 svm.exe
748 svmm.exe
1440 svm.exe
1488 svmm.exe
1536 svm.exe
2344 svmm.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3360	svm.exe
748	svmm.exe
1440	svm.exe
1488	svmm.exe
1536	svm.exe
2344	svmm.exe

Loads dropped DLL 4 IoCs

Processes:

edadf30df18e6a7ea190041cf3bd4a0b.exe

pid	process
4616	edadf30df18e6a7ea190041cf3bd4a0b.exe
4616	edadf30df18e6a7ea190041cf3bd4a0b.exe
4616	edadf30df18e6a7ea190041cf3bd4a0b.exe
4616	edadf30df18e6a7ea190041cf3bd4a0b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

Processes:

edadf30df18e6a7ea190041cf3bd4a0b.exesvm.exe

description	ioc	process
File created	C:\Program Files (x86)\svm\svm.exe	edadf30df18e6a7ea190041cf3bd4a0b.exe
File opened for modification	C:\Program Files (x86)\svm\log\20220204-svm.log	svm.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

Processes:

WaaSMedicAgent.exesvm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

edadf30df18e6a7ea190041cf3bd4a0b.exesvmm.exesvm.exe

pid	process
4616	edadf30df18e6a7ea190041cf3bd4a0b.exe
4616	edadf30df18e6a7ea190041cf3bd4a0b.exe
4616	edadf30df18e6a7ea190041cf3bd4a0b.exe
4616	edadf30df18e6a7ea190041cf3bd4a0b.exe
2344	svmm.exe
2344	svmm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe
2344	svmm.exe
2344	svmm.exe
1536	svm.exe
1536	svm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4844	svchost.exe
Token: SeCreatePagefilePrivilege	4844	svchost.exe
Token: SeShutdownPrivilege	4844	svchost.exe
Token: SeCreatePagefilePrivilege	4844	svchost.exe
Token: SeShutdownPrivilege	4844	svchost.exe
Token: SeCreatePagefilePrivilege	4844	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

edadf30df18e6a7ea190041cf3bd4a0b.exe

description	pid	process	target process
PID 4616 wrote to memory of 3360	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svm.exe
PID 4616 wrote to memory of 3360	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svm.exe
PID 4616 wrote to memory of 3360	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svm.exe
PID 4616 wrote to memory of 748	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svmm.exe
PID 4616 wrote to memory of 748	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svmm.exe
PID 4616 wrote to memory of 748	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svmm.exe
PID 4616 wrote to memory of 1440	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svm.exe
PID 4616 wrote to memory of 1440	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svm.exe
PID 4616 wrote to memory of 1440	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svm.exe
PID 4616 wrote to memory of 1488	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svmm.exe
PID 4616 wrote to memory of 1488	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svmm.exe
PID 4616 wrote to memory of 1488	4616	edadf30df18e6a7ea190041cf3bd4a0b.exe	svmm.exe

C:\Users\Admin\AppData\Local\Temp\edadf30df18e6a7ea190041cf3bd4a0b.exe
"C:\Users\Admin\AppData\Local\Temp\edadf30df18e6a7ea190041cf3bd4a0b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -i
2⤵
- Executes dropped EXE
PID:3360

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe" -i
2⤵
- Executes dropped EXE
PID:748

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe" -start
2⤵
- Executes dropped EXE
PID:1488

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe" -start
2⤵
- Executes dropped EXE
PID:1440

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c304cc63ac620e72610ee3e29c0a3a96 XUKIHa4KP0WdUtg8yf/lTA.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\svm\svm.exe
MD5
2c5557250cbd3f7ff3f778aa4fc6e479

SHA1
1aa93b29564cfcdff0f3a29058906b08bf44ea1e

SHA256
a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269

SHA512
a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25

Download Submit
C:\Program Files (x86)\svm\svm.exe
MD5
2c5557250cbd3f7ff3f778aa4fc6e479

SHA1
1aa93b29564cfcdff0f3a29058906b08bf44ea1e

SHA256
a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269

SHA512
a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25

Download Submit
C:\Program Files (x86)\svm\svm.exe
MD5
2c5557250cbd3f7ff3f778aa4fc6e479

SHA1
1aa93b29564cfcdff0f3a29058906b08bf44ea1e

SHA256
a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269

SHA512
a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25

Download Submit
C:\Program Files (x86)\svm\svm.exe
MD5
2c5557250cbd3f7ff3f778aa4fc6e479

SHA1
1aa93b29564cfcdff0f3a29058906b08bf44ea1e

SHA256
a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269

SHA512
a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25

Download Submit
C:\Program Files (x86)\svm\svmm.exe
MD5
2c5557250cbd3f7ff3f778aa4fc6e479

SHA1
1aa93b29564cfcdff0f3a29058906b08bf44ea1e

SHA256
a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269

SHA512
a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25

Download Submit
C:\Program Files (x86)\svm\svmm.exe
MD5
2c5557250cbd3f7ff3f778aa4fc6e479

SHA1
1aa93b29564cfcdff0f3a29058906b08bf44ea1e

SHA256
a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269

SHA512
a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25

Download Submit
C:\Program Files (x86)\svm\svmm.exe
MD5
2c5557250cbd3f7ff3f778aa4fc6e479

SHA1
1aa93b29564cfcdff0f3a29058906b08bf44ea1e

SHA256
a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269

SHA512
a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25

Download Submit
C:\Program Files (x86)\svm\svmm.exe
MD5
2c5557250cbd3f7ff3f778aa4fc6e479

SHA1
1aa93b29564cfcdff0f3a29058906b08bf44ea1e

SHA256
a8169c566bf4566c6c4ba98ce7f9ecf143ae6c21dc0d7b15779c936e1ff60269

SHA512
a9516dad7bd66776a90790571b8a4d2766f117f372a0ff64b12fdd1f4060d116b16063964e70d0342d285e40a24724243ae05f2d7f427e31dd7ecdb04745ae25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC8FB.tmp\processwork.dll
MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC8FB.tmp\processwork.dll
MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC8FB.tmp\processwork.dll
MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC8FB.tmp\processwork.dll
MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
memory/4616-132-0x0000000003080000-0x00000000030C1000-memory.dmp

Filesize
260KB

Download
memory/4844-144-0x0000021C97790000-0x0000021C977A0000-memory.dmp

Filesize
64KB

Download
memory/4844-151-0x0000021C9AB70000-0x0000021C9AB74000-memory.dmp

Filesize
16KB

Download