ammyyadmin | be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Size

825KB
MD5

b4ac3a610662ffcc285a098ab43f6970
SHA1

1d0a2b0924de9d9afed132d5e8b6214dc1dfc9e5
SHA256

be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65
SHA512

6cc4f2845dc9770b7caff501d568e43936ff3cce0e2ccb0010c15c3ca179a2ff9a80eca4abe2f3c7ddb4f8f2574fa567bb1dc4bfb8c9be5701e2d555d9b7d65f
SSDEEP

24576:PkK+waI8JRQMEJ2rufRtse9r0v8MlBiIwuD0w6RAfEy:c4aSlx8lBi7E0lSfEy

Score

10^/10

ammyyadmin flawedammyy rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

resource	yara_rule
behavioral2/memory/1712-132-0x0000000000400000-0x00000000004A3000-memory.dmp	family_ammyyadmin
behavioral2/memory/1712-139-0x0000000000400000-0x00000000004A3000-memory.dmp	family_ammyyadmin
behavioral2/memory/4892-138-0x0000000000400000-0x00000000004A3000-memory.dmp	family_ammyyadmin
behavioral2/memory/792-146-0x0000000000400000-0x00000000004A3000-memory.dmp	family_ammyyadmin
behavioral2/memory/792-147-0x0000000000400000-0x00000000004A3000-memory.dmp	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0003000000000725-133.dat	acprotect
behavioral2/files/0x0003000000000725-134.dat	acprotect
behavioral2/files/0x000300000000072d-135.dat	acprotect
behavioral2/files/0x000300000000072d-136.dat	acprotect
behavioral2/files/0x0003000000000731-141.dat	acprotect
behavioral2/files/0x0003000000000731-140.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe

Loads dropped DLL 6 IoCs

pid	Process
1712	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
1712	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
4892	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
4892	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AC354CE209AD58A9212D6B2CC46107BA	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AC354CE209AD58A9212D6B2CC46107BA	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeBackupPrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
Token: SeRestorePrivilege	792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1712	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
4892	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
792	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 792	4892	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe	83
PID 4892 wrote to memory of 792	4892	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe	83
PID 4892 wrote to memory of 792	4892	be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe	83

C:\Users\Admin\AppData\Local\Temp\be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
"C:\Users\Admin\AppData\Local\Temp\be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Users\Admin\AppData\Local\Temp\be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
"C:\Users\Admin\AppData\Local\Temp\be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe" -service -lunch
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe
  "C:\Users\Admin\AppData\Local\Temp\be7da4a4eb534744bba008b2ff12f4f72b09432d1c1a27d2a1dc76fc0737bd65.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings.bin

Filesize
76B

MD5
090bba5cbe9cd62189310f633f14d686

SHA1
0ce1d78aace04650b0c592665686a89412c1771c

SHA256
7bc48188bbd0ad1b7ac10257e6a8fc5327f2ccfd56402a4353f6d8ef26eb0ff8

SHA512
846781bdb4d8902963f1859077c8db4c763fdd4ca28f0be83b95c20d324b5db030f312fc3d4f959dc05ca4f41ef872a49d123195494b16440e16ebcc5edb31a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qviD2A6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qviD2A6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\Temp\cviD41D.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\Temp\cviD41D.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\Temp\uviD3CF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\Temp\uviD3CF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/792-148-0x0000000000640000-0x00000000006B3000-memory.dmp

Filesize
460KB

Download
memory/792-147-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/792-146-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/792-145-0x0000000000640000-0x00000000006B3000-memory.dmp

Filesize
460KB

Download
memory/1712-139-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1712-143-0x0000000002210000-0x0000000002283000-memory.dmp

Filesize
460KB

Download
memory/1712-132-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4892-144-0x0000000000E10000-0x0000000000E83000-memory.dmp

Filesize
460KB

Download
memory/4892-138-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download