orcus | 55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9

Analysis

max time kernel
130s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe
Size

32.2MB
MD5

50cf2b79a37b6c5e2d8648483487dd60
SHA1

d95fec832f5cc5059d19e626c4eb7c9e526a6550
SHA256

55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9
SHA512

655d587159c4753f4b57a2e3be596f54ac58060473a52296c8e226c9e63cdb32ac5b32fedc3a910652b69bc871c3dcb951f86ec448470b7a6cea370c9925717e
SSDEEP

786432:QHw1v9qnHFHK1CMzoyuBzC8N1YSRwouTtRLbyK:QCqnHFHcCyoy4zC01YSRQtR

Score

10^/10

orcus funpay credential_access discovery rat spyware stealer upx

Malware Config

Extracted

Family

orcus

Botnet

FunPay

31.44.184.52:44657

Mutex

sudo_vm3jypee5e4wpgyaqsjreb4akskikm0b

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\privategamebase\Discord.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018bcd-46.dat	family_orcus

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Orcurs Rat Executable 10 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018bcd-46.dat	orcus
behavioral1/memory/2432-49-0x0000000000400000-0x0000000002440000-memory.dmp	orcus
behavioral1/memory/2976-465-0x00000000011B0000-0x00000000014F4000-memory.dmp	orcus
behavioral1/memory/1740-484-0x00000000010F0000-0x0000000001434000-memory.dmp	orcus
behavioral1/memory/1080-493-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/1080-498-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/1080-497-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/1080-496-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/1080-491-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/2216-765-0x0000000000220000-0x0000000000564000-memory.dmp	orcus

Executes dropped EXE 10 IoCs

pid	Process
2192	ExLoader_CA Classic.exe
2188	Built.exe
2744	Built.exe
2976	Discord.exe
1084	ExLoader_Installer.exe
1740	Discord.exe
1972	Discord.exe
1244	Process not Found
2056	Discord.exe
2216	Discord.exe

Loads dropped DLL 9 IoCs

pid	Process
2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe
2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe
2188	Built.exe
2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe
2744	Built.exe
2192	ExLoader_CA Classic.exe
1084	ExLoader_Installer.exe
2976	Discord.exe
1244	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019623-43.dat	upx
behavioral1/memory/2744-95-0x000007FEF5E60000-0x000007FEF6449000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 1080	1740	Discord.exe	38
PID 1972 set thread context of 2904	1972	Discord.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2976	Discord.exe
1740	Discord.exe
1740	Discord.exe
1972	Discord.exe
1972	Discord.exe
1080	msbuild.exe
1080	msbuild.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	Discord.exe
Token: SeDebugPrivilege	1740	Discord.exe
Token: SeDebugPrivilege	1972	Discord.exe
Token: SeDebugPrivilege	1080	msbuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2192	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	31
PID 2432 wrote to memory of 2192	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	31
PID 2432 wrote to memory of 2192	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	31
PID 2432 wrote to memory of 2192	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	31
PID 2432 wrote to memory of 2188	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	32
PID 2432 wrote to memory of 2188	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	32
PID 2432 wrote to memory of 2188	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	32
PID 2432 wrote to memory of 2188	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	32
PID 2188 wrote to memory of 2744	2188	Built.exe	33
PID 2188 wrote to memory of 2744	2188	Built.exe	33
PID 2188 wrote to memory of 2744	2188	Built.exe	33
PID 2432 wrote to memory of 2976	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	34
PID 2432 wrote to memory of 2976	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	34
PID 2432 wrote to memory of 2976	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	34
PID 2432 wrote to memory of 2976	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	34
PID 2432 wrote to memory of 2976	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	34
PID 2432 wrote to memory of 2976	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	34
PID 2432 wrote to memory of 2976	2432	55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe	34
PID 2192 wrote to memory of 1084	2192	ExLoader_CA Classic.exe	35
PID 2192 wrote to memory of 1084	2192	ExLoader_CA Classic.exe	35
PID 2192 wrote to memory of 1084	2192	ExLoader_CA Classic.exe	35
PID 2976 wrote to memory of 1740	2976	Discord.exe	36
PID 2976 wrote to memory of 1740	2976	Discord.exe	36
PID 2976 wrote to memory of 1740	2976	Discord.exe	36
PID 2976 wrote to memory of 1740	2976	Discord.exe	36
PID 2976 wrote to memory of 1740	2976	Discord.exe	36
PID 2976 wrote to memory of 1740	2976	Discord.exe	36
PID 2976 wrote to memory of 1740	2976	Discord.exe	36
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1028 wrote to memory of 1972	1028	taskeng.exe	39
PID 1028 wrote to memory of 1972	1028	taskeng.exe	39
PID 1028 wrote to memory of 1972	1028	taskeng.exe	39
PID 1028 wrote to memory of 1972	1028	taskeng.exe	39
PID 1028 wrote to memory of 1972	1028	taskeng.exe	39
PID 1028 wrote to memory of 1972	1028	taskeng.exe	39
PID 1028 wrote to memory of 1972	1028	taskeng.exe	39
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1740 wrote to memory of 1080	1740	Discord.exe	38
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1972 wrote to memory of 2904	1972	Discord.exe	40
PID 1028 wrote to memory of 2056	1028	taskeng.exe	42
PID 1028 wrote to memory of 2056	1028	taskeng.exe	42
PID 1028 wrote to memory of 2056	1028	taskeng.exe	42
PID 1028 wrote to memory of 2056	1028	taskeng.exe	42
PID 1028 wrote to memory of 2056	1028	taskeng.exe	42
PID 1028 wrote to memory of 2056	1028	taskeng.exe	42
PID 1028 wrote to memory of 2056	1028	taskeng.exe	42
PID 1028 wrote to memory of 2216	1028	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe
"C:\Users\Admin\AppData\Local\Temp\55f106bbd70d6c8b9ecac24ca61fdd85499050acf1973af1a74c39751dca86a9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\ExLoader_CA Classic.exe
  "C:\Users\Admin\AppData\Local\Temp\ExLoader_CA Classic.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1084
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2744
- C:\Users\Admin\AppData\Local\Temp\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
    "C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1080

C:\Windows\system32\taskeng.exe
taskeng.exe {FD4C9D8D-DF83-486F-9749-760A830D012D} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab8CA8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
183KB

MD5
afaa67445bd6bc3377cd5c56fdb934d0

SHA1
68e4f2cefda7f58478468c5adeeedef3378abae1

SHA256
53f5c7bab6cdb50b104882f9ac8ee9e5929b58ef0b392dc5f48c1622f737f002

SHA512
db5c7d7e5881ede8a9a6e4d09771dad592a68e7367a42700919cd37ad443badb8c0729cbcc75b9ac25ff65cdc06246b9e72962ebbcbddb1c24a522f8e5c7cd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.3MB

MD5
cf1901e6b6a138422e4eb765ec20e098

SHA1
3cbde7f32504cbc0795e536a024e61fa2185ced2

SHA256
615038c51ea1655b6b8f057ac16f725d51b395efe76fa96cfb97924b0d908297

SHA512
82e19d116db7ae553d66511c2255728d1651919ffe83ca87f79a9e00f7d7085665ce5303c48729e7941e33aa91f65ad4d17fd30101e9865e76c8a2540d0af7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21882\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.4MB

MD5
271698776c17f52bdd5083bc872f2b69

SHA1
0827944c3617c5b8fcf119182fa26afef974b9e8

SHA256
e3cd396506f03d756d04ffd28759c296bc0176b584f27017ca504c6836241ff6

SHA512
b4a97ef4d4b65feab1bf3fe1e8f9824b1bec216099942212d2211ad04c9288f24155e220e531a72ae631e994b814210e2e74e7a81ba45e240b25a0621c439534

Download Submit
\Users\Admin\AppData\Local\Temp\Discord.exe

Filesize
3.2MB

MD5
90cd2e9c676fc284584653b5d4f95126

SHA1
4e1a138d45e7833d1eb4205606cdd7f4508bce5c

SHA256
5ccf3a06eeaa035c5b4b60f44e7820692c015208d62e415a3c224c009edde3df

SHA512
57166446c7743344914d2c1e089e066bc0ddddc29cb8e64e801f01c63f6287d524a3778a7d67070779e90ad31e7b0675f081dafbd32b34aa407e20706885a146

Download Submit
\Users\Admin\AppData\Local\Temp\ExLoader_CA Classic.exe

Filesize
21.5MB

MD5
01deeaf6a3ac4ecea37fd6f21c3ea66a

SHA1
2767ec1e576b7639c38b3d75bca5a99146ffda95

SHA256
fae28755d742035f89e0cf73e9c46c7b7c2b625b3dcfab379dc135b9fa79dbb9

SHA512
d6e959987be4f69a890fa1ba62700ae5f7612e0a4919e58491bbdc96f60ebfbf5fe34806a2413b5724459576ab96e007d8edfe393ea9d12bf003f0df9e5fc9fe

Download Submit
memory/1080-487-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1080-497-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1080-762-0x0000000004AC0000-0x0000000004AC2000-memory.dmp

Filesize
8KB

Download
memory/1080-761-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/1080-514-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/1080-513-0x0000000000750000-0x0000000000768000-memory.dmp

Filesize
96KB

Download
memory/1080-491-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1080-495-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1080-496-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1080-489-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1080-493-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1080-498-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1740-485-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/1740-486-0x0000000000BB0000-0x0000000000BFE000-memory.dmp

Filesize
312KB

Download
memory/1740-484-0x00000000010F0000-0x0000000001434000-memory.dmp

Filesize
3.3MB

Download
memory/1972-500-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/2216-765-0x0000000000220000-0x0000000000564000-memory.dmp

Filesize
3.3MB

Download
memory/2432-49-0x0000000000400000-0x0000000002440000-memory.dmp

Filesize
32.2MB

Download
memory/2744-95-0x000007FEF5E60000-0x000007FEF6449000-memory.dmp

Filesize
5.9MB

Download
memory/2904-509-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2976-471-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/2976-465-0x00000000011B0000-0x00000000014F4000-memory.dmp

Filesize
3.3MB

Download
memory/2976-473-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/2976-472-0x0000000000B90000-0x0000000000BEC000-memory.dmp

Filesize
368KB

Download