orcus | 471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9

Resubmissions

07-05-2024 00:42

240507-a2ghnsde87 10

Analysis

max time kernel
155s
max time network
157s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-05-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
Size

922.0MB
MD5

579579c7f692ec28c4b198f6dd30f372
SHA1

5eeeaf129ba78eec60d3a5cdb16d3d31eeb4a015
SHA256

245806b93b9d8c782086ddd542a45e3f8920031ef450335c18fe2402b963b365
SHA512

18ff96211d56d076c3b1ee29d18591cdc483761ddf0284dba26a6751d91db595d65500c0d3a5a92cc3c1512c53dad42fc8ee6d9d0a4b51a1789453c7eaecb31c
SSDEEP

49152:p9sij7wmgm0JRjaXUVPJUdDrAZY6DQAJE8lIZCmT3KxX9xtARkN2AWUoWHF08xGw:Mij7wgEVPJU+ZHDPtqn3QjtAFIFKIz

Score

10^/10

orcus execution persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

209.25.141.181:40489

Mutex

690c4574d03b45e4b89aa16b415b7baf

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\Chrome\Plugins\chromedriver.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
svchost
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral10/memory/996-113-0x0000000000630000-0x000000000071C000-memory.dmp	orcus

Executes dropped EXE 9 IoCs

pid	Process
2708	BlitzedGrabberX96 Install.exe
796	UnityCrashHandler.EXE
4212	chromedriver.exe
812	WindowsInput.exe
4480	WindowsInput.exe
996	chromedriver.exe
2392	chromedriver.exe
2956	svchost.exe
928	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	UnityCrashHandler.EXE

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	chromedriver.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	chromedriver.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	chromedriver.exe
File opened for modification	C:\Windows\assembly	chromedriver.exe
File created	C:\Windows\assembly\Desktop.ini	chromedriver.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
308	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
308	powershell.exe
308	powershell.exe
308	powershell.exe
996	chromedriver.exe
996	chromedriver.exe
996	chromedriver.exe
928	svchost.exe
928	svchost.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe
928	svchost.exe
996	chromedriver.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	308	powershell.exe
Token: SeIncreaseQuotaPrivilege	308	powershell.exe
Token: SeSecurityPrivilege	308	powershell.exe
Token: SeTakeOwnershipPrivilege	308	powershell.exe
Token: SeLoadDriverPrivilege	308	powershell.exe
Token: SeSystemProfilePrivilege	308	powershell.exe
Token: SeSystemtimePrivilege	308	powershell.exe
Token: SeProfSingleProcessPrivilege	308	powershell.exe
Token: SeIncBasePriorityPrivilege	308	powershell.exe
Token: SeCreatePagefilePrivilege	308	powershell.exe
Token: SeBackupPrivilege	308	powershell.exe
Token: SeRestorePrivilege	308	powershell.exe
Token: SeShutdownPrivilege	308	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeSystemEnvironmentPrivilege	308	powershell.exe
Token: SeRemoteShutdownPrivilege	308	powershell.exe
Token: SeUndockPrivilege	308	powershell.exe
Token: SeManageVolumePrivilege	308	powershell.exe
Token: 33	308	powershell.exe
Token: 34	308	powershell.exe
Token: 35	308	powershell.exe
Token: 36	308	powershell.exe
Token: SeDebugPrivilege	996	chromedriver.exe
Token: SeDebugPrivilege	2956	svchost.exe
Token: SeDebugPrivilege	928	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2708	BlitzedGrabberX96 Install.exe
2708	BlitzedGrabberX96 Install.exe
996	chromedriver.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 2708	4400	BlitzedGrabberX96 Installer.exe	73
PID 4400 wrote to memory of 2708	4400	BlitzedGrabberX96 Installer.exe	73
PID 4400 wrote to memory of 2708	4400	BlitzedGrabberX96 Installer.exe	73
PID 4400 wrote to memory of 796	4400	BlitzedGrabberX96 Installer.exe	74
PID 4400 wrote to memory of 796	4400	BlitzedGrabberX96 Installer.exe	74
PID 796 wrote to memory of 308	796	UnityCrashHandler.EXE	75
PID 796 wrote to memory of 308	796	UnityCrashHandler.EXE	75
PID 4400 wrote to memory of 4212	4400	BlitzedGrabberX96 Installer.exe	78
PID 4400 wrote to memory of 4212	4400	BlitzedGrabberX96 Installer.exe	78
PID 4212 wrote to memory of 1844	4212	chromedriver.exe	79
PID 4212 wrote to memory of 1844	4212	chromedriver.exe	79
PID 1844 wrote to memory of 4804	1844	csc.exe	81
PID 1844 wrote to memory of 4804	1844	csc.exe	81
PID 4212 wrote to memory of 812	4212	chromedriver.exe	82
PID 4212 wrote to memory of 812	4212	chromedriver.exe	82
PID 4212 wrote to memory of 996	4212	chromedriver.exe	84
PID 4212 wrote to memory of 996	4212	chromedriver.exe	84
PID 996 wrote to memory of 2956	996	chromedriver.exe	86
PID 996 wrote to memory of 2956	996	chromedriver.exe	86
PID 996 wrote to memory of 2956	996	chromedriver.exe	86
PID 2956 wrote to memory of 928	2956	svchost.exe	87
PID 2956 wrote to memory of 928	2956	svchost.exe	87
PID 2956 wrote to memory of 928	2956	svchost.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
  "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
  "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File poo.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
  "C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ajnhtc4u.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB76A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB769.tmp"
      4⤵
      PID:4804
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:812
- - C:\ProgramData\Chrome\Plugins\chromedriver.exe
    "C:\ProgramData\Chrome\Plugins\chromedriver.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 996 /protectFile
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 996 "/protectFile"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:4480

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

Filesize
2.8MB

MD5
46d8dfadf7f9d90385ab7df71b5adce3

SHA1
99482121b86c790a6f2d732b0a47a1e41922518f

SHA256
7fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c

SHA512
2e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\poo.ps1

Filesize
35B

MD5
5d792fc7c4e2fd3eb595fce4883dcb2d

SHA1
ee2a88f769ad746f119e144bd06832cb55ef1e0f

SHA256
41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb

SHA512
4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB76A.tmp

Filesize
1KB

MD5
f438830d6ffbec5906c7cc2398f80969

SHA1
634ef2e12ecfe99f74f78a67e37ad0ba21820818

SHA256
6f31e262436c73c20667adda3c015c36cce149cf3150d88a8c70111372b58a3c

SHA512
35caafeeb2da82f3ca8f9641902a869b36af496d3ad5cc3168d3bc13bfa08b91bd076f7fa22c6e852a39722d023b543964bb1639bf62f1da2077dee36c3f1206

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE

Filesize
155KB

MD5
69bef95f8029651ff546b59544d3d6cd

SHA1
a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9

SHA256
0cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac

SHA512
b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lll3cz2.q1w.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajnhtc4u.dll

Filesize
76KB

MD5
7b7d3ed3a24bd00b2d906ccf04b8223b

SHA1
cfe40177a25f49383a539aad0c50db6a1f7d0002

SHA256
6d4f595bb35b1768b81c5c7fd206a3913d9f3132c551019573169e8462d2b929

SHA512
31435ec3a9dda3730f9d4b0c5f99fef3084cda1f345b4e91f64236ada47dce1e6ac5b36e4d3d4c57adcbe175f3f8148ec80427c4529eab4babc1617f15ee857f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB769.tmp

Filesize
676B

MD5
a20980b0c5397dd1539a00e3485c9bb0

SHA1
bfd0baec898e67e242b126531e1f67b8b11d1f78

SHA256
aa39c20de7753861e797f5b0effa40c7fed2503cb7d699bb19fef789eea3f0f0

SHA512
d7d07a3c0b7bdec684413526aa085990e7f14547c05fd27d1f869a8903814d8cfa073d0853dd7ecf288333ba4df7fbd669e404ca35e7c77d10c98ebf16e24517

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajnhtc4u.0.cs

Filesize
208KB

MD5
82d8471dbd2e1b4cdeb116ae7e1fabc9

SHA1
1aad980d6673f428bc2a758f6787fdd74fdca18e

SHA256
3301522170cb85dfcc22474b2d916e201ea2d5cc1385f0c345cf8defd3b6203d

SHA512
7d33ccee3acbd005ecf56329c2eaedbf2675010f80f2861c7288e4d1d6b2ad1e419f7120135d11d4f3e74f8226d4a6878a9aab7d448ad86c2a8f9ce5b4155360

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajnhtc4u.cmdline

Filesize
349B

MD5
629fb958431ea85c33f6ea8ec4bddffa

SHA1
3a2c4e3e89f07b681cf3dda1d732e7304e873d8e

SHA256
5899f17b30e552ed5a03a4ce3df5f28e9e7377d7dc436312c3a744760df41c14

SHA512
40ddd05499c065209e49542248825d28192ee11a47ff3313d0c18788fe4214b1bbd882afe671c12d675b8ccfa2d7ae21bc467a7ec53129929a65808655ed24e1

Download Submit
memory/308-18-0x0000019F4E5A0000-0x0000019F4E5C2000-memory.dmp

Filesize
136KB

Download
memory/308-21-0x0000019F4E750000-0x0000019F4E7C6000-memory.dmp

Filesize
472KB

Download
memory/812-97-0x000000001B800000-0x000000001B83E000-memory.dmp

Filesize
248KB

Download
memory/812-95-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/812-96-0x0000000002EB0000-0x0000000002EC2000-memory.dmp

Filesize
72KB

Download
memory/996-117-0x0000000002920000-0x0000000002938000-memory.dmp

Filesize
96KB

Download
memory/996-114-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/996-113-0x0000000000630000-0x000000000071C000-memory.dmp

Filesize
944KB

Download
memory/996-115-0x00000000010C0000-0x000000000110E000-memory.dmp

Filesize
312KB

Download
memory/996-118-0x000000001BCD0000-0x000000001BE92000-memory.dmp

Filesize
1.8MB

Download
memory/996-119-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2956-127-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/4212-83-0x000000001CCB0000-0x000000001CCC6000-memory.dmp

Filesize
88KB

Download
memory/4212-87-0x000000001CEE0000-0x000000001CF00000-memory.dmp

Filesize
128KB

Download
memory/4212-86-0x0000000002C20000-0x0000000002C28000-memory.dmp

Filesize
32KB

Download
memory/4212-85-0x0000000002EA0000-0x0000000002EB2000-memory.dmp

Filesize
72KB

Download
memory/4212-70-0x000000001C7E0000-0x000000001C87C000-memory.dmp

Filesize
624KB

Download
memory/4212-69-0x000000001C270000-0x000000001C73E000-memory.dmp

Filesize
4.8MB

Download
memory/4212-68-0x000000001BD90000-0x000000001BD9E000-memory.dmp

Filesize
56KB

Download
memory/4212-65-0x000000001BC00000-0x000000001BC5C000-memory.dmp

Filesize
368KB

Download
memory/4400-0-0x00007FFC77063000-0x00007FFC77064000-memory.dmp

Filesize
4KB

Download
memory/4400-64-0x00007FFC77060000-0x00007FFC77A4C000-memory.dmp

Filesize
9.9MB

Download
memory/4400-4-0x00007FFC77060000-0x00007FFC77A4C000-memory.dmp

Filesize
9.9MB

Download
memory/4400-1-0x0000000000280000-0x000000000071A000-memory.dmp

Filesize
4.6MB

Download
memory/4480-102-0x0000000019FF0000-0x000000001A0FA000-memory.dmp

Filesize
1.0MB

Download