orcus | 994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20210408
submitted
26-05-2021 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorant Script.bat.exe
Size

1.4MB
MD5

637b3b849ab42985bd2bc59982202df9
SHA1

359dab386ed04c7e9bf1dac6af68ff4b70ee6d71
SHA256

994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c
SHA512

db676cc9cc802d57093b6a71a4cba36e84b93e3ca57c421dc3998c219d711cbdadb3537db2d60b94ad14da5cce1c484a59d8d98ddff112715840d218f1d55488

Score

10^/10

orcus lol rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

lol

isnadsknsbs-38398.portmap.host:12201

Mutex

e1b8920439fc43a68e4d8395e70dc516

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 5 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	family_orcus
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 5 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	orcus
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus

Executes dropped EXE 7 IoCs

Processes:

ROBLOX BUCKS AND MOD MENU.EXEWindowsInput.exeWindowsInput.exeOrcus.exeOrcus.exeOrcusWatchdog.exeOrcusWatchdog.exe

pid	process
2592	ROBLOX BUCKS AND MOD MENU.EXE
2296	WindowsInput.exe
3904	WindowsInput.exe
2988	Orcus.exe
1768	Orcus.exe
396	OrcusWatchdog.exe
1792	OrcusWatchdog.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

ROBLOX BUCKS AND MOD MENU.EXE

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	ROBLOX BUCKS AND MOD MENU.EXE
File opened for modification	C:\Windows\assembly\Desktop.ini	ROBLOX BUCKS AND MOD MENU.EXE

Drops file in System32 directory 3 IoCs

Processes:

ROBLOX BUCKS AND MOD MENU.EXEWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 4 IoCs

Processes:

ROBLOX BUCKS AND MOD MENU.EXEValorant Script.bat.exe

description	ioc	process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Program Files\Orcus\Orcus.exe.config	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	Valorant Script.bat.exe
File created	C:\Program Files\Orcus\Orcus.exe	ROBLOX BUCKS AND MOD MENU.EXE

Drops file in Windows directory 3 IoCs

Processes:

ROBLOX BUCKS AND MOD MENU.EXE

description	ioc	process
File opened for modification	C:\Windows\assembly	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Windows\assembly\Desktop.ini	ROBLOX BUCKS AND MOD MENU.EXE
File opened for modification	C:\Windows\assembly\Desktop.ini	ROBLOX BUCKS AND MOD MENU.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Orcus.exeOrcusWatchdog.exe

pid	process
2988	Orcus.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
1792	OrcusWatchdog.exe
1792	OrcusWatchdog.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe
2988	Orcus.exe
1792	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Orcus.exeOrcusWatchdog.exeOrcusWatchdog.exe

description pid process

Token: SeDebugPrivilege 2988 Orcus.exe
Token: SeDebugPrivilege 396 OrcusWatchdog.exe
Token: SeDebugPrivilege 1792 OrcusWatchdog.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

2988 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

2988 Orcus.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Orcus.exe

pid process

2988 Orcus.exe

description	pid	process
Token: SeDebugPrivilege	2988	Orcus.exe
Token: SeDebugPrivilege	396	OrcusWatchdog.exe
Token: SeDebugPrivilege	1792	OrcusWatchdog.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Valorant Script.bat.exeROBLOX BUCKS AND MOD MENU.EXEcsc.exeOrcus.exeOrcusWatchdog.exe

description	pid	process	target process
PID 3492 wrote to memory of 2592	3492	Valorant Script.bat.exe	ROBLOX BUCKS AND MOD MENU.EXE
PID 3492 wrote to memory of 2592	3492	Valorant Script.bat.exe	ROBLOX BUCKS AND MOD MENU.EXE
PID 2592 wrote to memory of 3308	2592	ROBLOX BUCKS AND MOD MENU.EXE	csc.exe
PID 2592 wrote to memory of 3308	2592	ROBLOX BUCKS AND MOD MENU.EXE	csc.exe
PID 3308 wrote to memory of 2152	3308	csc.exe	cvtres.exe
PID 3308 wrote to memory of 2152	3308	csc.exe	cvtres.exe
PID 2592 wrote to memory of 2296	2592	ROBLOX BUCKS AND MOD MENU.EXE	WindowsInput.exe
PID 2592 wrote to memory of 2296	2592	ROBLOX BUCKS AND MOD MENU.EXE	WindowsInput.exe
PID 2592 wrote to memory of 2988	2592	ROBLOX BUCKS AND MOD MENU.EXE	Orcus.exe
PID 2592 wrote to memory of 2988	2592	ROBLOX BUCKS AND MOD MENU.EXE	Orcus.exe
PID 2988 wrote to memory of 396	2988	Orcus.exe	OrcusWatchdog.exe
PID 2988 wrote to memory of 396	2988	Orcus.exe	OrcusWatchdog.exe
PID 2988 wrote to memory of 396	2988	Orcus.exe	OrcusWatchdog.exe
PID 396 wrote to memory of 1792	396	OrcusWatchdog.exe	OrcusWatchdog.exe
PID 396 wrote to memory of 1792	396	OrcusWatchdog.exe	OrcusWatchdog.exe
PID 396 wrote to memory of 1792	396	OrcusWatchdog.exe	OrcusWatchdog.exe

C:\Users\Admin\AppData\Local\Temp\Valorant Script.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant Script.bat.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE
  "C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pix4cs06.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41F1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC41F0.tmp"
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2296
- - C:\Program Files\Orcus\Orcus.exe
    "C:\Program Files\Orcus\Orcus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2988 /protectFile
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2988 "/protectFile"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:3904

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files\Orcus\Orcus.exe

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files\Orcus\Orcus.exe

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files\Orcus\Orcus.exe

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES41F1.tmp

MD5
68e6a5dca3ff46139ab753015d13adce

SHA1
d191cc7b46ed67c6919d50fc9f102b37f2ac4940

SHA256
9c558d0d1e4fa72eb09b0d9d0fa09f25251240383469dc38b08f59b00a0e7f3d

SHA512
ce468013c62315318649c0550b878f06260a4fa4ab648dbebff0aead3f1e5816fe46697e94b3ef4540c1cc13982f359356b79f08e26aeecb2c5cb03b3b1f5f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\pix4cs06.dll

MD5
937bd588508a818376eac287b52f7979

SHA1
115fa6f699036d3d4e735dbdde2adae5ee121e2a

SHA256
30739eca651d6ef1488d894d9fb422cf544fb41ca78334993484d9260e296856

SHA512
86f17ccdfd8ecc1aec07d06e86375c0eb16b25311e70062a88fc3b23b732df0482e408ba6215994b4483731eaad9976fa65203aa49a7af470d63af8f666a5609

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC41F0.tmp

MD5
2ac8c8f21c2e35e23fd98c6d49e5ea96

SHA1
84ea774b8bf09ac25b45ea2b53cf2951d9eebecf

SHA256
288f542a0ac12813ff401e5d0b3e7d395151ac695e6e2da82097950c39616e1f

SHA512
4741886455bdcb3b500f0c3357f2c4871651da2b03a9afd25bdb7151cc48294f007272866e0c6733c95523367ac36054c59c8d1eb1d6692511627e2d05fac096

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pix4cs06.0.cs

MD5
a50e000ea4b1922ab0c3cd58cebac701

SHA1
03de2270f780cae3866079bb41b0fb7f03b01c86

SHA256
3edacda7d52be89284b903b2d512d129217bcb9842900a1afc0fb2f2978c8677

SHA512
071b6ba9ee7c4ac0e18838887df3815b2c5d8d364ab9415eed40f3b01f4fed1d8d8cb97d2c447929fc1110e965426c6438ad40edb51df269f988889f40cdf226

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pix4cs06.cmdline

MD5
9dbd8530fa931993fa4e0375795c61a4

SHA1
026c4cfc597d90fa396c61deca83b10bd629960c

SHA256
c856be9bcdacc2af43d4abf5f8230fa42fa79daa86dc4b18b37190f33cb35a6a

SHA512
0cbd42162e036ce721d736b93a462ac80708c0c4f78c74b4fa1d59a2e65b3b950c58a7e3a04610a9748e15e91bff6b615fa314f818ccc4e9c96bd4ff3f5c3b5f

Download Submit
memory/396-162-0x0000000000000000-mapping.dmp

Download
memory/396-169-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1768-167-0x000000001CE10000-0x000000001CE12000-memory.dmp

Filesize
8KB

Download
memory/1792-171-0x0000000000000000-mapping.dmp

Download
memory/2152-121-0x0000000000000000-mapping.dmp

Download
memory/2296-130-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2296-134-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2296-135-0x000000001C310000-0x000000001C312000-memory.dmp

Filesize
8KB

Download
memory/2296-126-0x0000000000000000-mapping.dmp

Download
memory/2296-133-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2592-114-0x0000000000000000-mapping.dmp

Download
memory/2592-117-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download
memory/2988-160-0x000000001CB40000-0x000000001CB4C000-memory.dmp

Filesize
48KB

Download
memory/2988-153-0x000000001C550000-0x000000001C598000-memory.dmp

Filesize
288KB

Download
memory/2988-143-0x0000000000000000-mapping.dmp

Download
memory/2988-155-0x000000001CA20000-0x000000001CA35000-memory.dmp

Filesize
84KB

Download
memory/2988-158-0x000000001CD30000-0x000000001CD31000-memory.dmp

Filesize
4KB

Download
memory/2988-151-0x0000000000910000-0x0000000000912000-memory.dmp

Filesize
8KB

Download
memory/2988-150-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/2988-149-0x000000001C3F0000-0x000000001C44A000-memory.dmp

Filesize
360KB

Download
memory/2988-147-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2988-168-0x0000000000914000-0x0000000000916000-memory.dmp

Filesize
8KB

Download
memory/2988-152-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/2988-166-0x0000000000912000-0x0000000000914000-memory.dmp

Filesize
8KB

Download
memory/3308-125-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/3308-118-0x0000000000000000-mapping.dmp

Download
memory/3904-142-0x000000001C120000-0x000000001C121000-memory.dmp

Filesize
4KB

Download
memory/3904-139-0x0000000001B20000-0x0000000001B22000-memory.dmp

Filesize
8KB

Download