Overview

overview

10

Static

static

10

test.exe

windows10-2004-x64

10

test.exe

windows10-ltsc 2021-x64

10

test.exe

windows11-21h2-x64

10

Resubmissions

26-10-2024 23:19

241026-3a1rfsxrgm 10

26-10-2024 23:18

241026-3absbs1fnl 10

26-10-2024 23:16

241026-29dkjaymaw 10

Analysis

  • max time kernel
    289s
  • max time network
    298s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    26-10-2024 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    3.0MB

  • MD5

    7b3150ddd3df859f8f6f36cb041b23f7

  • SHA1

    c3934ab76025c17cab3d309a96c1e32df9ad9d65

  • SHA256

    675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

  • SHA512

    a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214

  • SSDEEP

    49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw

Score
10/10
orcusdefense_evasionevasionexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

orcus

C2

Index1337z-43991.portmap.host:43991

Mutex

be9b19219c62425cbffd5b98125d81a6

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Using powershell.exe command.

    execution
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 14 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4228
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rtcgrppr.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE540.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE53F.tmp"
        3⤵
          PID:4380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3084
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3384
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:868
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:232
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:636
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • UAC bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3032
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2400
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2780
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4532
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4380
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1580
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:568
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4424
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1840
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3156
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4988
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:404

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe
      Filesize

      3.0MB

      MD5

      7b3150ddd3df859f8f6f36cb041b23f7

      SHA1

      c3934ab76025c17cab3d309a96c1e32df9ad9d65

      SHA256

      675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

      SHA512

      a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214

      Download Submit

    • C:\Program Files\Orcus\Orcus.exe.config
      Filesize

      349B

      MD5

      89817519e9e0b4e703f07e8c55247861

      SHA1

      4636de1f6c997a25c3190f73f46a3fd056238d78

      SHA256

      f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

      SHA512

      b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0f1bf4207c100442afb6f174495b7e10

      SHA1

      77ab64a201e4c57bbda4f0c3306bee76e9513b44

      SHA256

      c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d

      SHA512

      29bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      5e22dd1cda88782a1f52f76e748ef957

      SHA1

      3231826619a06fa541e2bfb21da445bd7013b5ac

      SHA256

      73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

      SHA512

      75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      feadc4e1a70c13480ef147aca0c47bc0

      SHA1

      d7a5084c93842a290b24dacec0cd3904c2266819

      SHA256

      5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

      SHA512

      c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESE540.tmp
      Filesize

      1KB

      MD5

      f16b9d85d5011afe1a885bba22738007

      SHA1

      d8049d1228dec8de0926edbf13e5e5cafe4919a2

      SHA256

      bb87182ee2adb4c1f68864fdee0fd4d614894ff91811c2adc083652255ac2c79

      SHA512

      3b81d45d9ceb1d2bfd9e0c734d24d54caeb6bb660dc40c4fd294a34e8e193724018ded3f821ec90fe0ad3b4550d79302dfe2fef300cce5a1ddd92c47db159e05

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pqpvs4c.0sn.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rtcgrppr.dll
      Filesize

      76KB

      MD5

      5d03837965d61d36f074f5e43655de8a

      SHA1

      c8de04df8f05b89b17717f67d68aee64c6b38a1b

      SHA256

      ef9fdfc59b1822a9dda285ea7d4acaa5b4aa9516643af7138f50c268b6e82fed

      SHA512

      70314a3b73bbd63f66a47c5f9c34ecae7ad6d73bb0f581840578cc0557e66fa5d9333caa1af5415b96881314f15ef88d543a68a0ab331e11d793c21e90a201c0

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCE53F.tmp
      Filesize

      676B

      MD5

      49f9f9888ef393b40d04e2d4ca0e717b

      SHA1

      8be6d52617239d8f43f20a6a73efbddd6dcaa3bb

      SHA256

      4a6b55a4f5d04d714107a5a7823535ff9c85ac9a4ec050dcbc0777dc3b61fb7a

      SHA512

      6a9261cc57554162d58d6535c7b7fb24f3b9558ce40b92d433c932d5aa5a99f7a14a6b080e1ebdda322238c3345fa87f0e71779899e9470405e23d43de03fe6c

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\rtcgrppr.0.cs
      Filesize

      208KB

      MD5

      900544393c63f9f37ef224e55b5ca0f4

      SHA1

      09639f80f287273a83543124d16acbf55b510d1d

      SHA256

      e8bf18a6eb79394e7ef791b6fb4cfc3cab343e1ccffb95624c0a4efb8b54beaa

      SHA512

      594167581ca7224cd4c51e4139371cfdeed841329b87d1a47c302d93cc7de3654a5b83ae6808d225f2996d6eaa92e56855fc3488d3df9c60ff2b98e4599f2386

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\rtcgrppr.cmdline
      Filesize

      349B

      MD5

      9f460bdb40344296a3a009af83df4e53

      SHA1

      97cc87e98d349514e9df48624bdfbbad50fce0a9

      SHA256

      a62aad7d8d4d6bb7f44ac0286cbd2769480177886596d651c66f07cad12175a2

      SHA512

      ae2bb908abdac1ff68e76fb42129a1812ca1c897256fbdfbde5fbc2fdf751d48d64757929326cf4122f76d635b4156698434978e07ae7b50041f057629518da1

      Download Submit

    • memory/404-299-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-304-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-301-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-303-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-294-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-293-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-298-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-302-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-292-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/404-300-0x0000020542520000-0x0000020542521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/568-330-0x000001CD7CCC0000-0x000001CD7CE0F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1580-323-0x000002CF74650000-0x000002CF7479F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1776-19-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1776-14-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1840-333-0x00000259C46B0000-0x00000259C47FF000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2280-316-0x00000182F0440000-0x00000182F058F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2400-191-0x0000026D5E030000-0x0000026D5E17F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2408-43-0x00007FFEB83A0000-0x00007FFEB8E62000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2408-48-0x00007FFEB83A0000-0x00007FFEB8E62000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2408-44-0x00007FFEB83A0000-0x00007FFEB8E62000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2408-42-0x000001E79DD40000-0x000001E79DD62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2408-32-0x00007FFEB83A3000-0x00007FFEB83A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2780-309-0x0000022028710000-0x000002202885F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3032-178-0x0000000002C50000-0x0000000002C68000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3032-177-0x0000000001320000-0x0000000001332000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3032-179-0x0000000001330000-0x0000000001340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3032-175-0x00000000007E0000-0x0000000000ADC000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/3156-318-0x0000021B770A0000-0x0000021B771EF000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3396-308-0x000001C0384F0000-0x000001C03863F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4228-2-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4228-30-0x00007FFEBB095000-0x00007FFEBB096000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4228-3-0x000000001BD00000-0x000000001BD5C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/4228-0-0x00007FFEBB095000-0x00007FFEBB096000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4228-4-0x0000000001460000-0x000000000146E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4228-5-0x000000001C530000-0x000000001C9FE000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4228-150-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4228-6-0x000000001CAA0000-0x000000001CB3C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4228-47-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4228-31-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4228-1-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4228-176-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4228-23-0x0000000001410000-0x0000000001422000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4228-21-0x00000000018E0000-0x00000000018F6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4228-26-0x00007FFEBADE0000-0x00007FFEBB781000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4228-25-0x0000000001490000-0x0000000001498000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4228-24-0x0000000001470000-0x000000000147A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4380-327-0x000001DFF5810000-0x000001DFF595F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4424-326-0x0000021ED0CE0000-0x0000021ED0E2F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4532-317-0x0000023C76B00000-0x0000023C76C4F000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4988-336-0x000001FFF2950000-0x000001FFF2A9F000-memory.dmp

      Filesize

      1.3MB

      Download