orcus | 1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19/10/2022, 06:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
Size

916KB
MD5

ac0431f34683bcbbb2cf23aaf29ea8cf
SHA1

275ec0e362cb074d5f080aaa41c25a8ecebe3205
SHA256

1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb
SHA512

156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c
SSDEEP

24576:r6w4MROxnFD3674S4xrZlI0AilFEvxHiBO:r6TMiJtrZlI0AilFEvxHi

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

146.70.143.176:81

Mutex

712d31c7a3f54904a08d968a15b836e9

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\orc\orc.exe
reconnect_delay
10000
registry_keyname
orc
taskscheduler_taskname
orc
watchdog_path
AppData\Watchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001ac2d-135.dat	family_orcus
behavioral1/files/0x000700000001ac2d-137.dat	family_orcus
behavioral1/files/0x000700000001ac2d-143.dat	family_orcus

Orcurs Rat Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x000700000001ac2d-135.dat	orcus
behavioral1/files/0x000700000001ac2d-137.dat	orcus
behavioral1/memory/4796-138-0x00000000002B0000-0x000000000039A000-memory.dmp	orcus
behavioral1/files/0x000700000001ac2d-143.dat	orcus

Executes dropped EXE 6 IoCs

pid	Process
364	WindowsInput.exe
3816	WindowsInput.exe
4796	orc.exe
5096	orc.exe
2180	Watchdog.exe
4792	Watchdog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\orc = "\"C:\\Program Files\\orc\\orc.exe\""	orc.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\orc\orc.exe	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
File opened for modification	C:\Program Files\orc\orc.exe	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
File created	C:\Program Files\orc\orc.exe.config	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
File created	C:\Windows\assembly\Desktop.ini	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	orc.exe
4796	orc.exe
4796	orc.exe
4796	orc.exe
4792	Watchdog.exe
4792	Watchdog.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe
4792	Watchdog.exe
4796	orc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	Watchdog.exe
Token: SeDebugPrivilege	4796	orc.exe
Token: SeDebugPrivilege	4792	Watchdog.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2484	2280	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe	66
PID 2280 wrote to memory of 2484	2280	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe	66
PID 2484 wrote to memory of 2796	2484	csc.exe	68
PID 2484 wrote to memory of 2796	2484	csc.exe	68
PID 2280 wrote to memory of 364	2280	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe	69
PID 2280 wrote to memory of 364	2280	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe	69
PID 2280 wrote to memory of 4796	2280	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe	71
PID 2280 wrote to memory of 4796	2280	1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe	71
PID 4796 wrote to memory of 2180	4796	orc.exe	73
PID 4796 wrote to memory of 2180	4796	orc.exe	73
PID 4796 wrote to memory of 2180	4796	orc.exe	73
PID 2180 wrote to memory of 4792	2180	Watchdog.exe	74
PID 2180 wrote to memory of 4792	2180	Watchdog.exe	74
PID 2180 wrote to memory of 4792	2180	Watchdog.exe	74

C:\Users\Admin\AppData\Local\Temp\1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe
"C:\Users\Admin\AppData\Local\Temp\1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x0qylpl4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBB2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCBB1.tmp"
    3⤵
    PID:2796
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:364
- C:\Program Files\orc\orc.exe
  "C:\Program Files\orc\orc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Roaming\Watchdog.exe
    "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Program Files\orc\orc.exe" 4796 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Roaming\Watchdog.exe
      "C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Program Files\orc\orc.exe" 4796 "/protectFile"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4792

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:3816

C:\Program Files\orc\orc.exe
"C:\Program Files\orc\orc.exe"
1⤵
- Executes dropped EXE
PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\orc\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe

Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Watchdog.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBB2.tmp

Filesize
1KB

MD5
220ad4f59626e32e3ad2ad8f360f4556

SHA1
5ec1448d53a8bdce8b9c92c2c154f53ccfb40e67

SHA256
ff08674b291576ca7d9c4b8b3ad78b437b0de5bd881f281df4d5c6ff207b0c9f

SHA512
bdff2410ef89f4135bfffc6922e9c6bc56a2ffc7d084469182d5aca9248113498de0d050ad274fec9e4db5353bd02888af4a13130a2dc6ce2c9c8ebc54deb45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0qylpl4.dll

Filesize
76KB

MD5
49fec281e7cf77a57ec9e687f6972968

SHA1
a582f26d9360ca7d55a385b1f07369370b879ba1

SHA256
17f8d2aa23612ab8d213c3a9a3ccc93e7dcdb0e488db16d35332ee6191fac075

SHA512
1b7d653e0189750a92c51e92172adf636a2e363e3e13a03841320fb2486fe2e89ac7b4806f95acf32137a82940116ad5df2ac66925990dd52615ae6985a7cd89

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Watchdog.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCBB1.tmp

Filesize
676B

MD5
e5364ec713930cd2a992f801a522ffe3

SHA1
5184d2ef8d3dbe48b535216066de714ddafe8584

SHA256
9acc4c6b7b77733c4458091ca08f58e88dbc2af10e469bb8c634ea0cd13f5bc4

SHA512
d425ff79a84a41f12eaab0e4335498a57eb3b772116a4cb4991d82f407b337bc963fdfb83dcf8e9406cdb6477631881249f08af19b4d3cead4f3c9e5c8fada05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x0qylpl4.0.cs

Filesize
208KB

MD5
2fdff1cc8f67d6e08329cb8e47c046e5

SHA1
114991ae49865c530831679c634e2c90b438a1ec

SHA256
097497d64c085b6eb940992a54dddafec0f89b430a41e22eb5521a503c8d65b5

SHA512
417f54bc467174c81927eddfa60ddb4aa8a891bbd9ae26107f0f4b2bddb0423d07b2cd764907fe87b9d3e339a76e0d5e9c396fee863621a68b090781c2b87e60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x0qylpl4.cmdline

Filesize
349B

MD5
da37749034ddd9ca856f132cef5a05d0

SHA1
55c310ae257d1f9e08ae98abe1f71b2136f0da34

SHA256
714d971d0ab34d00696f65b03d5c4ec52dcef62dab9ddb519f16748c2d760464

SHA512
549e979b2a385580b7df0e66e3aa20c71a4136d11a78deef2228c543804e9f064434da6cfd356abd3118c2ea5fcde06b42448167746c942a021cecb469d49de7

Download Submit
memory/364-131-0x0000000000D00000-0x0000000000D3E000-memory.dmp

Filesize
248KB

Download
memory/364-130-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/364-129-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2180-192-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-178-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-214-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-202-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-201-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-200-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-199-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-198-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-148-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-149-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-150-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-151-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-152-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-153-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-154-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-155-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-197-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-157-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-158-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-159-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-160-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-162-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-161-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-163-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-164-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-165-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-166-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-167-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-168-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-169-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-170-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-171-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-172-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-173-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-174-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-196-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-176-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-177-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-195-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-179-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-180-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-181-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-182-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-183-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-184-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/2180-185-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-186-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-187-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-188-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-189-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-190-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-191-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-194-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2180-193-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2280-117-0x00007FFBC2F80000-0x00007FFBC39B3000-memory.dmp

Filesize
10.2MB

Download
memory/3816-133-0x000000001B140000-0x000000001B24A000-memory.dmp

Filesize
1.0MB

Download
memory/4792-209-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-211-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-215-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-213-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-212-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-210-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-205-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-206-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-207-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4792-208-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-138-0x00000000002B0000-0x000000000039A000-memory.dmp

Filesize
936KB

Download
memory/4796-145-0x000000001BFB0000-0x000000001BFC0000-memory.dmp

Filesize
64KB

Download
memory/4796-142-0x000000001BCE0000-0x000000001BD2E000-memory.dmp

Filesize
312KB

Download
memory/4796-139-0x000000001AE10000-0x000000001AE6C000-memory.dmp

Filesize
368KB

Download
memory/4796-144-0x000000001BE80000-0x000000001BE98000-memory.dmp

Filesize
96KB

Download
memory/4796-141-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4796-140-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download