orcus | 4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2023 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0009000000014b5d-74.exe
Size

3.0MB
MD5

fd560527411b6fc1dec327027f1b6a51
SHA1

056c4273219177194fa2d4c7cd308470391a4c53
SHA256

4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512

ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
SSDEEP

49152:Jsa3PHJZKMvup/RGA1Ub/6U3bFaAypQxbzkso9JnCmaukrrzI0AilFCvxHI:JjGUu1D1Uj6UnypSbzPo9JCm

Score

10^/10

orcus sln persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Sln

193.138.195.211:10134

Mutex

eaf050d367294b239fe7db992d6ea4d7

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svc host
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 3 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\svchost.exe	family_orcus
C:\Program Files (x86)\svchost.exe	family_orcus
C:\Program Files (x86)\svchost.exe	family_orcus

Orcurs Rat Executable 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4160-132-0x0000000000C40000-0x0000000000F48000-memory.dmp	orcus
C:\Program Files (x86)\svchost.exe	orcus
C:\Program Files (x86)\svchost.exe	orcus
C:\Program Files (x86)\svchost.exe	orcus

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0x0009000000014b5d-74.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	0x0009000000014b5d-74.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

WindowsInput.exeWindowsInput.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

1928 WindowsInput.exe
4152 WindowsInput.exe
4088 svchost.exe
1268 svchost.exe
3836 svchost.exe
4100 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

svchost.exe

pid process

4088 svchost.exe
4088 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1928	WindowsInput.exe
4152	WindowsInput.exe
4088	svchost.exe
1268	svchost.exe
3836	svchost.exe
4100	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files (x86)\\svchost.exe\""	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
27 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
11	ip-api.com
27	icanhazip.com

Drops file in System32 directory 3 IoCs

Processes:

0x0009000000014b5d-74.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	0x0009000000014b5d-74.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	0x0009000000014b5d-74.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 4 IoCs

Processes:

0x0009000000014b5d-74.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\svchost.exe	0x0009000000014b5d-74.exe
File opened for modification	C:\Program Files (x86)\svchost.exe	0x0009000000014b5d-74.exe
File created	C:\Program Files (x86)\svchost.exe.config	0x0009000000014b5d-74.exe
File created	C:\Program Files (x86)\Ionic.Zip.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exesvchost.exe

pid	process
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4100	svchost.exe
4100	svchost.exe
4100	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe
4100	svchost.exe
4088	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4088 svchost.exe
Token: SeDebugPrivilege 3836 svchost.exe
Token: SeDebugPrivilege 4100 svchost.exe

description	pid	process
Token: SeDebugPrivilege	4088	svchost.exe
Token: SeDebugPrivilege	3836	svchost.exe
Token: SeDebugPrivilege	4100	svchost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

0x0009000000014b5d-74.exesvchost.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 4160 wrote to memory of 1928	4160	0x0009000000014b5d-74.exe	WindowsInput.exe
PID 4160 wrote to memory of 1928	4160	0x0009000000014b5d-74.exe	WindowsInput.exe
PID 4160 wrote to memory of 4088	4160	0x0009000000014b5d-74.exe	svchost.exe
PID 4160 wrote to memory of 4088	4160	0x0009000000014b5d-74.exe	svchost.exe
PID 4160 wrote to memory of 4088	4160	0x0009000000014b5d-74.exe	svchost.exe
PID 4088 wrote to memory of 4228	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4228	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 4228	4088	svchost.exe	cmd.exe
PID 4228 wrote to memory of 3560	4228	cmd.exe	chcp.com
PID 4228 wrote to memory of 3560	4228	cmd.exe	chcp.com
PID 4228 wrote to memory of 3560	4228	cmd.exe	chcp.com
PID 4228 wrote to memory of 3596	4228	cmd.exe	netsh.exe
PID 4228 wrote to memory of 3596	4228	cmd.exe	netsh.exe
PID 4228 wrote to memory of 3596	4228	cmd.exe	netsh.exe
PID 4228 wrote to memory of 3156	4228	cmd.exe	findstr.exe
PID 4228 wrote to memory of 3156	4228	cmd.exe	findstr.exe
PID 4228 wrote to memory of 3156	4228	cmd.exe	findstr.exe
PID 4088 wrote to memory of 3664	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 3664	4088	svchost.exe	cmd.exe
PID 4088 wrote to memory of 3664	4088	svchost.exe	cmd.exe
PID 3664 wrote to memory of 1512	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 1512	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 1512	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 5024	3664	cmd.exe	netsh.exe
PID 3664 wrote to memory of 5024	3664	cmd.exe	netsh.exe
PID 3664 wrote to memory of 5024	3664	cmd.exe	netsh.exe
PID 4088 wrote to memory of 3836	4088	svchost.exe	svchost.exe
PID 4088 wrote to memory of 3836	4088	svchost.exe	svchost.exe
PID 4088 wrote to memory of 3836	4088	svchost.exe	svchost.exe
PID 3836 wrote to memory of 4100	3836	svchost.exe	svchost.exe
PID 3836 wrote to memory of 4100	3836	svchost.exe	svchost.exe
PID 3836 wrote to memory of 4100	3836	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0x0009000000014b5d-74.exe
"C:\Users\Admin\AppData\Local\Temp\0x0009000000014b5d-74.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928

C:\Program Files (x86)\svchost.exe
"C:\Program Files (x86)\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3560

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
4⤵
PID:3596

C:\Windows\SysWOW64\findstr.exe
findstr All
4⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1512

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:5024

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Program Files (x86)\svchost.exe" 4088 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Program Files (x86)\svchost.exe" 4088 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:4152

C:\Program Files (x86)\svchost.exe
"C:\Program Files (x86)\svchost.exe"
1⤵
- Executes dropped EXE
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Program Files (x86)\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Program Files (x86)\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
C:\Program Files (x86)\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
C:\Program Files (x86)\svchost.exe
Filesize
3.0MB

MD5
fd560527411b6fc1dec327027f1b6a51

SHA1
056c4273219177194fa2d4c7cd308470391a4c53

SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

Download Submit
C:\Program Files (x86)\svchost.exe.config
Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
Filesize
1KB

MD5
0672db2ef13237d5cb85075ff4915942

SHA1
ad8b4d3eb5e40791c47d48b22e273486f25f663f

SHA256
0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519

SHA512
84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
c95012f934b8bb6e1fb1bcb11cd9f2eb

SHA1
c6a565d220ff45730639cf5ec15a97a8ffa88dad

SHA256
e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

SHA512
bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
c95012f934b8bb6e1fb1bcb11cd9f2eb

SHA1
c6a565d220ff45730639cf5ec15a97a8ffa88dad

SHA256
e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

SHA512
bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
c95012f934b8bb6e1fb1bcb11cd9f2eb

SHA1
c6a565d220ff45730639cf5ec15a97a8ffa88dad

SHA256
e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

SHA512
bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe.config
Filesize
418B

MD5
47fb1af739ade4e938c8e6d2e504f4a4

SHA1
b5c2786f406614105e488ee500858fc09365170d

SHA256
552fc8db5bd09828e3d73ad68b737efc7f91980d860effd0c68f7d329cf20a92

SHA512
67eb6bade5cca517ef0ba29197548e1d3df45fbad8cf2e407dbb3927c09f3da5008783348716f77311d3e2528f473651c3c8f59bb6cbea31050e39ae5fd09297

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e1e29e723b9e1e50d31e316adab71499

SHA1
5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

SHA256
4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

SHA512
de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e1e29e723b9e1e50d31e316adab71499

SHA1
5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

SHA256
4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

SHA512
de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e1e29e723b9e1e50d31e316adab71499

SHA1
5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

SHA256
4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

SHA512
de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/1512-163-0x0000000000000000-mapping.dmp

Download
memory/1928-143-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmp

Filesize
10.8MB

Download
memory/1928-136-0x0000000000000000-mapping.dmp

Download
memory/1928-140-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1928-141-0x0000000001200000-0x0000000001212000-memory.dmp

Filesize
72KB

Download
memory/1928-142-0x0000000002B30000-0x0000000002B6C000-memory.dmp

Filesize
240KB

Download
memory/3156-161-0x0000000000000000-mapping.dmp

Download
memory/3560-159-0x0000000000000000-mapping.dmp

Download
memory/3596-160-0x0000000000000000-mapping.dmp

Download
memory/3664-162-0x0000000000000000-mapping.dmp

Download
memory/3836-175-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/3836-170-0x0000000000000000-mapping.dmp

Download
memory/4088-156-0x0000000007F10000-0x000000000801A000-memory.dmp

Filesize
1.0MB

Download
memory/4088-169-0x0000000006AE0000-0x0000000006AEA000-memory.dmp

Filesize
40KB

Download
memory/4088-157-0x00000000081F0000-0x00000000083B2000-memory.dmp

Filesize
1.8MB

Download
memory/4088-147-0x0000000000000000-mapping.dmp

Download
memory/4088-152-0x00000000076F0000-0x0000000007756000-memory.dmp

Filesize
408KB

Download
memory/4088-155-0x0000000007680000-0x00000000076BC000-memory.dmp

Filesize
240KB

Download
memory/4088-154-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/4088-167-0x0000000006A60000-0x0000000006AD8000-memory.dmp

Filesize
480KB

Download
memory/4088-153-0x0000000008420000-0x0000000008A38000-memory.dmp

Filesize
6.1MB

Download
memory/4100-176-0x0000000000000000-mapping.dmp

Download
memory/4152-145-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmp

Filesize
10.8MB

Download
memory/4152-168-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmp

Filesize
10.8MB

Download
memory/4152-146-0x000000001C2A0000-0x000000001C3AA000-memory.dmp

Filesize
1.0MB

Download
memory/4160-135-0x0000000006060000-0x0000000006082000-memory.dmp

Filesize
136KB

Download
memory/4160-134-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/4160-132-0x0000000000C40000-0x0000000000F48000-memory.dmp

Filesize
3.0MB

Download
memory/4160-133-0x00000000060B0000-0x0000000006654000-memory.dmp

Filesize
5.6MB

Download
memory/4228-158-0x0000000000000000-mapping.dmp

Download
memory/5024-164-0x0000000000000000-mapping.dmp

Download