2bad639d0a1f90525ad56b31641b3bd5fe1310079d1e6abd6bc7889cdc1ff3f5

Analysis

max time kernel
145s
max time network
140s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/07/2024, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoiceMod-Full-Version-Setup/Voicemod_setup.exe
Size

146KB
MD5

3d49478072bf18339ef810c8ea7546b2
SHA1

c1047d72d4cdce21af4bb989ad1bee437edb7f80
SHA256

e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d
SHA512

f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c
SSDEEP

3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\3R9qG8i3Z.README.txt

Ransom Note

~~~ PC Locker 3.0 by Mr.Robot~~~ >>>> Your data are stolen and encrypted To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero. >>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID Contact the following account on telegram @mr_robot_unlock or paste this link in your browser https://t.me/mr_robot_unlock >>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC90BEF8DD0B1639FE >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS! >>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK! >>>> Advertisement Would you like to earn thousands of dollars $$$ ? We sell mentorship for stealers, DDOS and ransomware. We only work with professionals and people with money DO NOT WASTE OUR TIME.

URLs

https://t.me/mr_robot_unlock

Signatures

Renames multiple (570) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1300	9403.tmp

Executes dropped EXE 1 IoCs

pid	Process
1300	9403.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1687926120-3022217735-1146543763-1000\desktop.ini	Voicemod_setup.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1687926120-3022217735-1146543763-1000\desktop.ini	Voicemod_setup.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPn3sj9t0609l3pr7hzmbbhotce.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPuo9onq6of332t3ahh9sq6ebec.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPsiu7130y50ga3ph8ldj_074nc.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3R9qG8i3Z.bmp"	Voicemod_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3R9qG8i3Z.bmp"	Voicemod_setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
1300	9403.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Voicemod_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9403.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop	Voicemod_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WallpaperStyle = "10"	Voicemod_setup.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon	Voicemod_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z	Voicemod_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\3R9qG8i3Z\DefaultIcon\ = "C:\\ProgramData\\3R9qG8i3Z.ico"	Voicemod_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z	Voicemod_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3R9qG8i3Z\ = "3R9qG8i3Z"	Voicemod_setup.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
748	Voicemod_setup.exe
4496	ONENOTE.EXE
4496	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp
1300	9403.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeDebugPrivilege	748	Voicemod_setup.exe
Token: 36	748	Voicemod_setup.exe
Token: SeImpersonatePrivilege	748	Voicemod_setup.exe
Token: SeIncBasePriorityPrivilege	748	Voicemod_setup.exe
Token: SeIncreaseQuotaPrivilege	748	Voicemod_setup.exe
Token: 33	748	Voicemod_setup.exe
Token: SeManageVolumePrivilege	748	Voicemod_setup.exe
Token: SeProfSingleProcessPrivilege	748	Voicemod_setup.exe
Token: SeRestorePrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSystemProfilePrivilege	748	Voicemod_setup.exe
Token: SeTakeOwnershipPrivilege	748	Voicemod_setup.exe
Token: SeShutdownPrivilege	748	Voicemod_setup.exe
Token: SeDebugPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeBackupPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe
Token: SeSecurityPrivilege	748	Voicemod_setup.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE
4496	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 5032	748	Voicemod_setup.exe	77
PID 748 wrote to memory of 5032	748	Voicemod_setup.exe	77
PID 2264 wrote to memory of 4496	2264	printfilterpipelinesvc.exe	79
PID 2264 wrote to memory of 4496	2264	printfilterpipelinesvc.exe	79
PID 748 wrote to memory of 1300	748	Voicemod_setup.exe	80
PID 748 wrote to memory of 1300	748	Voicemod_setup.exe	80
PID 748 wrote to memory of 1300	748	Voicemod_setup.exe	80
PID 748 wrote to memory of 1300	748	Voicemod_setup.exe	80
PID 1300 wrote to memory of 2004	1300	9403.tmp	81
PID 1300 wrote to memory of 2004	1300	9403.tmp	81
PID 1300 wrote to memory of 2004	1300	9403.tmp	81

C:\Users\Admin\AppData\Local\Temp\VoiceMod-Full-Version-Setup\Voicemod_setup.exe
"C:\Users\Admin\AppData\Local\Temp\VoiceMod-Full-Version-Setup\Voicemod_setup.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:5032
- C:\ProgramData\9403.tmp
  "C:\ProgramData\9403.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9403.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:4456

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{AB7E7804-C01C-42CB-8E0E-11D529B387E4}.xps" 133668015036300000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1687926120-3022217735-1146543763-1000\AAAAAAAAAAA

Filesize
129B

MD5
d2a5cfa7821497840f75db61a2aebb6a

SHA1
a93e5c4800925fbdba8ffe6ff4bda96ef48b42ca

SHA256
58a56d1482ed1eabf7014f40e73fd52099ec05f9933ff6782b1be874d2c0bcf4

SHA512
11c8347ec48fb7ad8cbd78765be1e34f1884ae422be0b6495556d25df2185e0a307551799fdf65529b2f91069a3d7d73d536e8c5c0f335f93c15a966ca41cc82

Download Submit
C:\3R9qG8i3Z.README.txt

Filesize
953B

MD5
59c1819f8b3b3e274f52fc145a88a331

SHA1
fe4b5bb97d84c3c05da6883acf4cc06b4cd67474

SHA256
22aabb2dd8e3f376b8ca281e363077ba406a35704ae88f347d25df179f61933b

SHA512
bf7e7a5a2ef7029a431f6372df7feee62ec5f4b6ea9580062ae74dbef93688ba3f5123dba6e018f3369048af32a7f1d368025cdac4bc08d5306cb3e1c76bb4a2

Download Submit
C:\ProgramData\9403.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoiceMod-Full-Version-Setup\DDDDDDDDDDDDDDDDDD

Filesize
146KB

MD5
d303b4cdc36b0c19119d065df84ada13

SHA1
7c4f6a9430f0d52fb6b0acef72559edadafb13fc

SHA256
5509348d10406ff4d4c0cb1a5a91a9a3ec1e9079cdbab3a615489b9c58bb27e0

SHA512
96887ed3f78e02ad2afe2276c1fa5e319557bc516a4b1ea98b4570ad972b46bf3b91826532505bfd03526213017179d84438d1c1de43a3378d5b50e0e3787dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C0355C61-75F9-4B82-BDB1-755F9A035DC4}

Filesize
4KB

MD5
2aee95b955f0c2c614047fe953f9bf95

SHA1
0c2663e422cdb5680a620a5daa50c1ae31048335

SHA256
26c73f656e2dc85e38669905ebfd9050486881dbdbb6869db43f2a8254363702

SHA512
49189f53c4e9001b766d7e0fd6fa3fc447e78a7140f0a28b7fb0ce47ff83a62eb55f6b83699fa2be093931b88450bb532f804b72e84551b7d348bef1e6c18cbf

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
e5a1c5cced3d4e6ae41625e88a4ebfd4

SHA1
e2738fff78ff9ba600d4a1df339a9d5b287921f8

SHA256
2a7ac4683f306fc15bb464c4ee9e42a95213e89a5f95aa4811f8142f107e3383

SHA512
d4e5bd05e4c1e005ab2fbd4cf4149935fc2e4592630406182434332d29752df68e5a2f7a0e47078d6c8af6ed16efcd8142f071a1379237386d3944677d7bcc9e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1687926120-3022217735-1146543763-1000\DDDDDDDDDDD

Filesize
129B

MD5
e188bb9f536f6d94aa5322a34a98e6a2

SHA1
13da7948e160312543115caec96a13613826fdb8

SHA256
1027a5af1c686aa78695cbc2cfd9c2406c26da1fb2c3be69fbca099682fe61e4

SHA512
d8b2bc77f9089621d97ac9a60adcc8ec7096a9113c3c7c3fbd9317202052d2ff29477c50414a91578d36e9e26c539ef94f8eee1a05a569ae34cda6d7b7b1c7ee

Download Submit
memory/748-0-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/748-1-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/748-2-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/4456-2919-0x0000014352DF0000-0x0000014352DF1000-memory.dmp

Filesize
4KB

Download
memory/4456-2921-0x00000143573D0000-0x00000143573D1000-memory.dmp

Filesize
4KB

Download
memory/4456-2923-0x0000014357510000-0x0000014357511000-memory.dmp

Filesize
4KB

Download
memory/4456-2924-0x0000014357520000-0x0000014357521000-memory.dmp

Filesize
4KB

Download
memory/4456-2912-0x0000014352D60000-0x0000014352D70000-memory.dmp

Filesize
64KB

Download
memory/4456-2908-0x0000014352650000-0x0000014352660000-memory.dmp

Filesize
64KB

Download
memory/4496-2941-0x00007FF960360000-0x00007FF960370000-memory.dmp

Filesize
64KB

Download
memory/4496-2943-0x00007FF960360000-0x00007FF960370000-memory.dmp

Filesize
64KB

Download
memory/4496-2974-0x00007FF95D5C0000-0x00007FF95D5D0000-memory.dmp

Filesize
64KB

Download
memory/4496-2975-0x00007FF95D5C0000-0x00007FF95D5D0000-memory.dmp

Filesize
64KB

Download
memory/4496-2940-0x00007FF960360000-0x00007FF960370000-memory.dmp

Filesize
64KB

Download
memory/4496-2942-0x00007FF960360000-0x00007FF960370000-memory.dmp

Filesize
64KB

Download
memory/4496-3391-0x00000232BAFA0000-0x00000232BB0A5000-memory.dmp

Filesize
1.0MB

Download
memory/4496-3395-0x00000232BAFA0000-0x00000232BB0A5000-memory.dmp

Filesize
1.0MB

Download