gandcrab | a244fde869a19cd9810260b250888229855420021a24e28f9b56f2659c08bc32

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ransomware.exe
Size

4.2MB
MD5

b80a4735eed794b80ef2a224fdbd04d6
SHA1

3c7fc076336a1de52005f63499820fbef8c5055d
SHA256

a244fde869a19cd9810260b250888229855420021a24e28f9b56f2659c08bc32
SHA512

b60db6d574712916218e0eeaea4dcc0d72934b2d752d93cef40b23039b2650d270c50fc507e1e69b7906f3505d3920c19f509f0ae2249b2580eb23ebc27fa9f0
SSDEEP

49152:xo0QvL0/tQEUsAwKN1z9yqvY69nnF1hBELuOXTT6HLzGvcpENXMAgCDQz/SS:xo0CL0fZMjs6HLyNcpCDQ

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Extracted

Path

C:\RICUHFEVR-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .RICUHFEVR The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/b671c6df70a61421 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAB2TgcTOc/tjqNkB9n/L6wFf4Oq5KUkiV3OMu9h9zpQFKfT/nnUjxReDBkG+Ou2f8G9oYttxAoov3pwDbvtdBGnyfiqJdvvmiaShM2IW4XhPUOPKcpCdFl/tPiTme38NrT8BSPINttKCV98tMk61Xu1K0eyaekgQk3QSksbTrutNU1fq4XQQ+plUJFDNvEe2CUgI67uYAGXLi7isbyf1V0Xxm0euSDs+OJXpN64/OhJq0vxSZbVAx+F8fca1wcqjcqWTN5HTVoP7w3XX/vzL89M6lO5H7dtbNqXMrF1ShRMwicjuUHre2jmZLM17/rKu2eRSrJk8OF2ht72dyxBUgC1kf35wyqXF4tmtwEXbeZWPdwNnwru95s8fAND141M7VZ6FFee4tTkFpCAO2YJIBX1eJQntmiJo0QQWbPiuGnAiPARk6eg8L50ynS/K8W1+iT5TbldT+vgXmGLRXxWCczc9UjRZgu2J9zruW5x4ToWxNU4gb8N0KyxsoS7Vb99WLU8K45GSIW5PRmLLuOmhF+7nZ8AjJ8qKBCd15k+R5uioBfk8ilQ3J6HwWN7B326Hoa790LM80ZKBLYgtzQEvGiF9Nqe5GBhnVPia4KxEET6VBDP3u9qXGmNVRfl23VVRpcIBY5/WQ9W89VIh90Bn7heCZzapYaMFlhbFMl5ycMmxlDBfeqGX1sF/qFlc7np+JAsj3kK72FflijJK3Sj1l5C5IV/uWaE6QTKFjwKBzREAKgvkzYJO6ZsqCLuDvFmyogN4V/1+opg0aNXPtJJfNzJ94YPoBie6WQbNnFctoIzrimOJim63KCd1YCT8gy0bvg0vL1Q7BFMfg2r7MjTLFXpVuwMe0knLrQZF2JNo+n0DkfzmjIm61ixnYknvya7GRw4Q2bk3xmi1/vOGkkbLOsBfyh/1+X4weiJR30Dhm0X/DHJjRNTj/clKednIxZwmRpKGlM86H5na85aX9jYpaeMrIrq6kbztb/XDxHoQ0uCSlG/VeMkYg3vtKbo2MUSzTMfCqITt+i042s4fSMPMZBDnz/ZSCdjXW+qbYOQ1uG6wjGxPkAXRVuqoXaB/6ntikpqagCbZLqGOsgJ8MSi8FpYLP/9PDXBIjfSZj5LfFSnq+XZGKMZdkF6h9pW15woGvhVRdICQaIrStc+8oP7TAaeHbie04Tcv1h40w4P6bPEdySXToUbAQL+lt7AvOGvLwLk46ZTiyS/xtY4ExCiOfctfgsq42qwErG51aG2i/nxGgwHMgPpUZfUURSEn8V5HAiTUmMZ/ylMjA3q0xgDqjXrFtohUaa38pZ/Ui9Nfb6d+8OkCr1ZU3DrUBKLWpsoBTopfHBkS6EZ4qKTrJVsJumcxwvEeFUrNIRyfGcREIBRrVu0KRtCLB4x5zl+1uKtdtI2pfxzz8FucezzGhRAKQnexPe18+sAIuEIjL9Keu8AMAQXN9xbNM2i80fRLkjNPO3dhXl9d9w8eA8lfNHfbxZlUUeit/mm1mZgN5g7/kpyZLzUHmpfNk4E/4iSHGoS8NvwvsBYv22xCnCNwS4AfRd8xxGMgJ7x7qcZISpjfMeTPbCFDPnOyVODfkeW9gst3zB2tGJimtB5Fn9AlwHb4J2+WssVjr6eUQuGCPOMwimG/sf5s8aAnrpSjpo/XcNzXN2+cLQv2dTRDsvL23RK8I+hQyA18SwBHv7MfUZZ0WSnTgsjMXNVdDuMnd9OLRPknJLn3RkGu+WUmzLCRvWluJajjPg1WSVa65MFH41J02ulfxFBmyYPXtzwlHP1tTSAuME27V16Tq6sQ4OQMuXZkXLcCV31X6RZKUeZWCrGkSvfQ5WdfYwbhGsKWsNyt3LBSvkjbE3PgF0JaalfVSsf0e6hw1TI7zQGhNjfavY5KW8kdOw8iE+KfPp9wOzu//2gcS0GdYE0eTgaU9+TovYYk0ub+RSlQ8DNqGCs2g7JpbvHn9e9C2PlZ1iQ+/Fq+SLrRW4UIcmMoCtHXksGXf/LTk+HUw6eMN20n7fftWKz2b5n8mq+8IPMW1CRMmfq17ngtIi6YJz4sJTXpLkVup7UbenA5Y1Q88ms9wpvdoStuAeFD9mTPfph5RwttgcsIJCPQ71GnY8QK3Od/UxRD6cfxLzUCUVHXEmJPt+FE/rgwxxdiNtT8/sR3wSZsyAhTplY3dYrSK87j/PPHAUISjMlSiDlaByf5GeZudMqQJDZUFj83qD/B5p1oWjkdj35A/C3JDGWFc7s= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZDTppRtXYR7n9WqrfYTHSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBsuKi/2E2EOt1Gt1YOFrVBiDtrRGHEd8boCcW4tu4Oqb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoAxPMnKo+DO5eAL2fjmE0g6RrIQ3vxBFKwg7yZizpCRFF3vPLNOas1wQZMXQQRlGKajmI1gXgeX8MmU3fjiyxQQxnz7JBlpawv3IDVY/peTfifFIcKcAhPzVN238JQy/C1qZHEv3tLEi2BYpMe5GkHskOOL+XRYYP+olzV/Dut7OUzJr9 ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/b671c6df70a61421

Signatures

GandCrab payload 1 IoCs

resource	yara_rule
behavioral2/memory/5048-137-0x0000000000400000-0x0000000000428000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
2000	TigerWarrior2.2266793134.exe

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnregisterReceive.raw => C:\Users\Admin\Pictures\UnregisterReceive.raw.ricuhfevr	wermgr.exe
File opened for modification	C:\Users\Admin\Pictures\BlockConvertFrom.tiff	wermgr.exe
File renamed	C:\Users\Admin\Pictures\BlockConvertFrom.tiff => C:\Users\Admin\Pictures\BlockConvertFrom.tiff.ricuhfevr	wermgr.exe
File renamed	C:\Users\Admin\Pictures\SplitNew.tif => C:\Users\Admin\Pictures\SplitNew.tif.ricuhfevr	wermgr.exe
File renamed	C:\Users\Admin\Pictures\SwitchProtect.tif => C:\Users\Admin\Pictures\SwitchProtect.tif.ricuhfevr	wermgr.exe
File renamed	C:\Users\Admin\Pictures\RestoreOut.raw => C:\Users\Admin\Pictures\RestoreOut.raw.ricuhfevr	wermgr.exe
File renamed	C:\Users\Admin\Pictures\WritePublish.png => C:\Users\Admin\Pictures\WritePublish.png.ricuhfevr	wermgr.exe
File renamed	C:\Users\Admin\Pictures\EnterStep.crw => C:\Users\Admin\Pictures\EnterStep.crw.ricuhfevr	wermgr.exe
File opened for modification	C:\Users\Admin\Pictures\FormatMount.tiff	wermgr.exe
File renamed	C:\Users\Admin\Pictures\FormatMount.tiff => C:\Users\Admin\Pictures\FormatMount.tiff.ricuhfevr	wermgr.exe
File renamed	C:\Users\Admin\Pictures\NewCompare.crw => C:\Users\Admin\Pictures\NewCompare.crw.ricuhfevr	wermgr.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\70a613c270a6142d214.lock	wermgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RICUHFEVR-DECRYPT.txt	wermgr.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	wermgr.exe
File opened (read-only)	\??\N:	wermgr.exe
File opened (read-only)	\??\O:	wermgr.exe
File opened (read-only)	\??\U:	wermgr.exe
File opened (read-only)	\??\W:	wermgr.exe
File opened (read-only)	\??\G:	wermgr.exe
File opened (read-only)	\??\H:	wermgr.exe
File opened (read-only)	\??\F:	wermgr.exe
File opened (read-only)	\??\L:	wermgr.exe
File opened (read-only)	\??\R:	wermgr.exe
File opened (read-only)	\??\V:	wermgr.exe
File opened (read-only)	\??\X:	wermgr.exe
File opened (read-only)	\??\Z:	wermgr.exe
File opened (read-only)	\??\A:	wermgr.exe
File opened (read-only)	\??\B:	wermgr.exe
File opened (read-only)	\??\Y:	wermgr.exe
File opened (read-only)	\??\E:	wermgr.exe
File opened (read-only)	\??\K:	wermgr.exe
File opened (read-only)	\??\P:	wermgr.exe
File opened (read-only)	\??\Q:	wermgr.exe
File opened (read-only)	\??\S:	wermgr.exe
File opened (read-only)	\??\T:	wermgr.exe
File opened (read-only)	\??\I:	wermgr.exe
File opened (read-only)	\??\J:	wermgr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	wermgr.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\OpenHide.php	wermgr.exe
File opened for modification	C:\Program Files\OptimizeConvert.svg	wermgr.exe
File opened for modification	C:\Program Files\SkipSubmit.tmp	wermgr.exe
File opened for modification	C:\Program Files\ExpandOpen.mpg	wermgr.exe
File opened for modification	C:\Program Files\JoinConvertTo.m1v	wermgr.exe
File opened for modification	C:\Program Files\UninstallWatch.vsdx	wermgr.exe
File created	C:\Program Files (x86)\RICUHFEVR-DECRYPT.txt	wermgr.exe
File created	C:\Program Files (x86)\70a613c270a6142d214.lock	wermgr.exe
File created	C:\Program Files\70a613c270a6142d214.lock	wermgr.exe
File opened for modification	C:\Program Files\ExportRequest.xlsx	wermgr.exe
File opened for modification	C:\Program Files\RegisterWrite.dwg	wermgr.exe
File opened for modification	C:\Program Files\RestoreRepair.DVR	wermgr.exe
File opened for modification	C:\Program Files\ResumeMount.au	wermgr.exe
File opened for modification	C:\Program Files\SplitProtect.ex_	wermgr.exe
File opened for modification	C:\Program Files\SubmitUndo.mpeg	wermgr.exe
File created	C:\Program Files\RICUHFEVR-DECRYPT.txt	wermgr.exe
File opened for modification	C:\Program Files\BlockApprove.TTS	wermgr.exe
File opened for modification	C:\Program Files\EnableConfirm.MTS	wermgr.exe
File opened for modification	C:\Program Files\ExpandRevoke.TTS	wermgr.exe
File opened for modification	C:\Program Files\InvokeUnprotect.xlt	wermgr.exe
File opened for modification	C:\Program Files\RequestEnable.edrwx	wermgr.exe
File opened for modification	C:\Program Files\SuspendEdit.3gp2	wermgr.exe
File opened for modification	C:\Program Files\ExportPop.DVR-MS	wermgr.exe
File opened for modification	C:\Program Files\HideSwitch.reg	wermgr.exe
File opened for modification	C:\Program Files\InvokeUninstall.mhtml	wermgr.exe
File opened for modification	C:\Program Files\ProtectCopy.dwfx	wermgr.exe
File opened for modification	C:\Program Files\SuspendPop.php	wermgr.exe
File opened for modification	C:\Program Files\WatchDisable.vsdm	wermgr.exe
File opened for modification	C:\Program Files\PopEnable.xls	wermgr.exe
File opened for modification	C:\Program Files\SearchOptimize.ttf	wermgr.exe
File opened for modification	C:\Program Files\ApproveRegister.asx	wermgr.exe
File opened for modification	C:\Program Files\DisconnectPing.html	wermgr.exe
File opened for modification	C:\Program Files\EnterInvoke.aiff	wermgr.exe
File opened for modification	C:\Program Files\LimitReceive.xltx	wermgr.exe
File opened for modification	C:\Program Files\PopInvoke.dwg	wermgr.exe
File opened for modification	C:\Program Files\PushProtect.xml	wermgr.exe
File opened for modification	C:\Program Files\FindReset.mp2v	wermgr.exe
File opened for modification	C:\Program Files\ResolveEnter.mpg	wermgr.exe
File opened for modification	C:\Program Files\ResumeEnable.wmv	wermgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5048	wermgr.exe
5048	wermgr.exe
5048	wermgr.exe
5048	wermgr.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1920	wmic.exe
Token: SeSecurityPrivilege	1920	wmic.exe
Token: SeTakeOwnershipPrivilege	1920	wmic.exe
Token: SeLoadDriverPrivilege	1920	wmic.exe
Token: SeSystemProfilePrivilege	1920	wmic.exe
Token: SeSystemtimePrivilege	1920	wmic.exe
Token: SeProfSingleProcessPrivilege	1920	wmic.exe
Token: SeIncBasePriorityPrivilege	1920	wmic.exe
Token: SeCreatePagefilePrivilege	1920	wmic.exe
Token: SeBackupPrivilege	1920	wmic.exe
Token: SeRestorePrivilege	1920	wmic.exe
Token: SeShutdownPrivilege	1920	wmic.exe
Token: SeDebugPrivilege	1920	wmic.exe
Token: SeSystemEnvironmentPrivilege	1920	wmic.exe
Token: SeRemoteShutdownPrivilege	1920	wmic.exe
Token: SeUndockPrivilege	1920	wmic.exe
Token: SeManageVolumePrivilege	1920	wmic.exe
Token: 33	1920	wmic.exe
Token: 34	1920	wmic.exe
Token: 35	1920	wmic.exe
Token: 36	1920	wmic.exe
Token: SeIncreaseQuotaPrivilege	1920	wmic.exe
Token: SeSecurityPrivilege	1920	wmic.exe
Token: SeTakeOwnershipPrivilege	1920	wmic.exe
Token: SeLoadDriverPrivilege	1920	wmic.exe
Token: SeSystemProfilePrivilege	1920	wmic.exe
Token: SeSystemtimePrivilege	1920	wmic.exe
Token: SeProfSingleProcessPrivilege	1920	wmic.exe
Token: SeIncBasePriorityPrivilege	1920	wmic.exe
Token: SeCreatePagefilePrivilege	1920	wmic.exe
Token: SeBackupPrivilege	1920	wmic.exe
Token: SeRestorePrivilege	1920	wmic.exe
Token: SeShutdownPrivilege	1920	wmic.exe
Token: SeDebugPrivilege	1920	wmic.exe
Token: SeSystemEnvironmentPrivilege	1920	wmic.exe
Token: SeRemoteShutdownPrivilege	1920	wmic.exe
Token: SeUndockPrivilege	1920	wmic.exe
Token: SeManageVolumePrivilege	1920	wmic.exe
Token: 33	1920	wmic.exe
Token: 34	1920	wmic.exe
Token: 35	1920	wmic.exe
Token: 36	1920	wmic.exe
Token: SeBackupPrivilege	4704	vssvc.exe
Token: SeRestorePrivilege	4704	vssvc.exe
Token: SeAuditPrivilege	4704	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 2000	660	ransomware.exe	83
PID 660 wrote to memory of 2000	660	ransomware.exe	83
PID 660 wrote to memory of 2000	660	ransomware.exe	83
PID 2000 wrote to memory of 5048	2000	TigerWarrior2.2266793134.exe	88
PID 2000 wrote to memory of 5048	2000	TigerWarrior2.2266793134.exe	88
PID 2000 wrote to memory of 5048	2000	TigerWarrior2.2266793134.exe	88
PID 2000 wrote to memory of 5048	2000	TigerWarrior2.2266793134.exe	88
PID 2000 wrote to memory of 5048	2000	TigerWarrior2.2266793134.exe	88
PID 5048 wrote to memory of 1920	5048	wermgr.exe	93
PID 5048 wrote to memory of 1920	5048	wermgr.exe	93
PID 5048 wrote to memory of 1920	5048	wermgr.exe	93

C:\Users\Admin\AppData\Local\Temp\ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\TigerWarrior2.2266793134.exe
  C:\Users\Admin\AppData\Local\Temp\TigerWarrior2.2266793134.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\System32\wermgr.exe"
    3⤵
    - Modifies extensions of user files
    - Drops startup file
    - Enumerates connected drives
    - Sets desktop wallpaper using registry
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TigerWarrior2.2266793134.exe

Filesize
712KB

MD5
23966228f4f52120ae3057c158c327f0

SHA1
02b6a200b1ac97cd854caba4e3a9a6593ef7c675

SHA256
db53a5dd001f4827b017584f1e826e5605e881f3af22153f1e1daa4ca231b2ff

SHA512
f4ae14bd4faf8e2efd98e8af18bdf950a2ed5cec4940d37c861bc16fdbc4d679f9b9de7dc24e0859e544e41e3e50a3914d83ebe3f40fb3a3d5c7cc2cdb695552

Download Submit
C:\Users\Admin\AppData\Local\Temp\TigerWarrior2.2266793134.exe

Filesize
712KB

MD5
23966228f4f52120ae3057c158c327f0

SHA1
02b6a200b1ac97cd854caba4e3a9a6593ef7c675

SHA256
db53a5dd001f4827b017584f1e826e5605e881f3af22153f1e1daa4ca231b2ff

SHA512
f4ae14bd4faf8e2efd98e8af18bdf950a2ed5cec4940d37c861bc16fdbc4d679f9b9de7dc24e0859e544e41e3e50a3914d83ebe3f40fb3a3d5c7cc2cdb695552

Download Submit
memory/2000-135-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5048-137-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download