orcus | 471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9

Analysis

max time kernel
1805s
max time network
1805s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
Size

922.0MB
MD5

579579c7f692ec28c4b198f6dd30f372
SHA1

5eeeaf129ba78eec60d3a5cdb16d3d31eeb4a015
SHA256

245806b93b9d8c782086ddd542a45e3f8920031ef450335c18fe2402b963b365
SHA512

18ff96211d56d076c3b1ee29d18591cdc483761ddf0284dba26a6751d91db595d65500c0d3a5a92cc3c1512c53dad42fc8ee6d9d0a4b51a1789453c7eaecb31c
SSDEEP

49152:p9sij7wmgm0JRjaXUVPJUdDrAZY6DQAJE8lIZCmT3KxX9xtARkN2AWUoWHF08xGw:Mij7wgEVPJU+ZHDPtqn3QjtAFIFKIz

Score

10^/10

orcus execution persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

209.25.141.181:40489

Mutex

690c4574d03b45e4b89aa16b415b7baf

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\Chrome\Plugins\chromedriver.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
svchost
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

Processes:

resource	yara_rule
behavioral20/memory/2100-112-0x00000000007F0000-0x00000000008DC000-memory.dmp	orcus

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BlitzedGrabberX96 Installer.exechromedriver.exechromedriver.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	BlitzedGrabberX96 Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	chromedriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	chromedriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 14 IoCs

Processes:

BlitzedGrabberX96 Install.exeUnityCrashHandler.EXEchromedriver.exeWindowsInput.exeWindowsInput.exechromedriver.exechromedriver.exesvchost.exesvchost.exechromedriver.exechromedriver.exechromedriver.exechromedriver.exechromedriver.exe

pid	process
1028	BlitzedGrabberX96 Install.exe
2404	UnityCrashHandler.EXE
372	chromedriver.exe
4108	WindowsInput.exe
1520	WindowsInput.exe
2100	chromedriver.exe
4764	chromedriver.exe
4048	svchost.exe
4224	svchost.exe
1872	chromedriver.exe
2532	chromedriver.exe
1952	chromedriver.exe
3212	chromedriver.exe
5008	chromedriver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UnityCrashHandler.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	UnityCrashHandler.EXE

Drops desktop.ini file(s) 2 IoCs

Processes:

chromedriver.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	chromedriver.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	chromedriver.exe

Drops file in System32 directory 3 IoCs

Processes:

chromedriver.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	chromedriver.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Windows directory 3 IoCs

Processes:

chromedriver.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	chromedriver.exe
File opened for modification	C:\Windows\assembly	chromedriver.exe
File created	C:\Windows\assembly\Desktop.ini	chromedriver.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

5064 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesvchost.exechromedriver.exe

pid	process
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
4224	svchost.exe
4224	svchost.exe
4224	svchost.exe
4224	svchost.exe
2100	chromedriver.exe
2100	chromedriver.exe
2100	chromedriver.exe
2100	chromedriver.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
4224	svchost.exe
2100	chromedriver.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
4224	svchost.exe
2100	chromedriver.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
4224	svchost.exe
2100	chromedriver.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe
4224	svchost.exe
4224	svchost.exe
2100	chromedriver.exe
2100	chromedriver.exe
4224	svchost.exe
2100	chromedriver.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exechromedriver.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	2100	chromedriver.exe
Token: SeDebugPrivilege	4048	svchost.exe
Token: SeDebugPrivilege	4224	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

BlitzedGrabberX96 Install.exechromedriver.exe

pid process

1028 BlitzedGrabberX96 Install.exe
1028 BlitzedGrabberX96 Install.exe
2100 chromedriver.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

BlitzedGrabberX96 Installer.exeUnityCrashHandler.EXEchromedriver.execsc.exechromedriver.exesvchost.exe

description	pid	process	target process
PID 3980 wrote to memory of 1028	3980	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 3980 wrote to memory of 1028	3980	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 3980 wrote to memory of 1028	3980	BlitzedGrabberX96 Installer.exe	BlitzedGrabberX96 Install.exe
PID 3980 wrote to memory of 2404	3980	BlitzedGrabberX96 Installer.exe	UnityCrashHandler.EXE
PID 3980 wrote to memory of 2404	3980	BlitzedGrabberX96 Installer.exe	UnityCrashHandler.EXE
PID 2404 wrote to memory of 5064	2404	UnityCrashHandler.EXE	powershell.exe
PID 2404 wrote to memory of 5064	2404	UnityCrashHandler.EXE	powershell.exe
PID 3980 wrote to memory of 372	3980	BlitzedGrabberX96 Installer.exe	chromedriver.exe
PID 3980 wrote to memory of 372	3980	BlitzedGrabberX96 Installer.exe	chromedriver.exe
PID 372 wrote to memory of 3016	372	chromedriver.exe	csc.exe
PID 372 wrote to memory of 3016	372	chromedriver.exe	csc.exe
PID 3016 wrote to memory of 4416	3016	csc.exe	cvtres.exe
PID 3016 wrote to memory of 4416	3016	csc.exe	cvtres.exe
PID 372 wrote to memory of 4108	372	chromedriver.exe	WindowsInput.exe
PID 372 wrote to memory of 4108	372	chromedriver.exe	WindowsInput.exe
PID 372 wrote to memory of 2100	372	chromedriver.exe	chromedriver.exe
PID 372 wrote to memory of 2100	372	chromedriver.exe	chromedriver.exe
PID 2100 wrote to memory of 4048	2100	chromedriver.exe	svchost.exe
PID 2100 wrote to memory of 4048	2100	chromedriver.exe	svchost.exe
PID 2100 wrote to memory of 4048	2100	chromedriver.exe	svchost.exe
PID 4048 wrote to memory of 4224	4048	svchost.exe	svchost.exe
PID 4048 wrote to memory of 4224	4048	svchost.exe	svchost.exe
PID 4048 wrote to memory of 4224	4048	svchost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File poo.ps1
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s3enpauj.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93D5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC93D4.tmp"
4⤵
PID:4416

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4108

C:\ProgramData\Chrome\Plugins\chromedriver.exe
"C:\ProgramData\Chrome\Plugins\chromedriver.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 2100 /protectFile
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\Plugins\chromedriver.exe" 2100 "/protectFile"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1520

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:4764

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:1872

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:2532

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:1952

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:3212

C:\ProgramData\Chrome\Plugins\chromedriver.exe
C:\ProgramData\Chrome\Plugins\chromedriver.exe
1⤵
- Executes dropped EXE
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chromedriver.exe.log
Filesize
1KB

MD5
9be3069b2cf9222dde6c28dd9180a35a

SHA1
14b76614ed5c94c513b10ada5bd642e888fc1231

SHA256
5e4c38466764be178ea21ba3149d0580d25d035b57e081b3abb9c06a19cfd67a

SHA512
043256f38c20d8765ddf2f1d5912249bfbb017c0b630d24d9e4894f4a759dec66bf0ffaf878ac69e9dfd6db7ec5e090dd69de2333d83299ef43888c394398885

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
Filesize
2.8MB

MD5
46d8dfadf7f9d90385ab7df71b5adce3

SHA1
99482121b86c790a6f2d732b0a47a1e41922518f

SHA256
7fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c

SHA512
2e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\poo.ps1
Filesize
35B

MD5
5d792fc7c4e2fd3eb595fce4883dcb2d

SHA1
ee2a88f769ad746f119e144bd06832cb55ef1e0f

SHA256
41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb

SHA512
4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93D5.tmp
Filesize
1KB

MD5
aa6e7b4b661381c6008332ceac316ffc

SHA1
975ee6b29a50c50d1286326aab4a478ef67ee396

SHA256
5e04e7a81f03d8bd3ce58c6944929f1c67c2379c1898c17f834ddf396120ebc5

SHA512
88a3d3b95a17c999ba07f273bc8c5baefc8d120151d5763c86bd894eb6e57a62c9ab8c39ee1a9c87269c1b7c5427c1367eb300004fcd88349e154908adfb9593

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
Filesize
155KB

MD5
69bef95f8029651ff546b59544d3d6cd

SHA1
a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9

SHA256
0cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac

SHA512
b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k31j2ajk.vmi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3enpauj.dll
Filesize
76KB

MD5
02d1092313c35e8735e96ba40f9f6571

SHA1
4c2ec15bceccf5f69ae052af9d41e3b1baa2749a

SHA256
53f9ccf550c7f8d420bd4715ca70b5a27372f8bc39633aeab067b7d9b938f004

SHA512
ebc3d74ef92747cfad43feb83fb0ec3d32b7e27910944b750cbbf0b5ed658d60c7caf8aab2902012335be9cad6bc04156d9d4039c5ab6802d92e7dbdfc599014

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC93D4.tmp
Filesize
676B

MD5
2e73985cb7bc9bcc7b1fa7d670f9b653

SHA1
f20ee1566fd12c6d2aba7c0451c068aa44c68e35

SHA256
761a4e2426b7d3b366bd2249d1b9893d3ce418b5b345c09e2e9ba28f2aa755a7

SHA512
b7467af19ea51726f9e3f9a7af3c0ba294be982074d1573cc9f048c9cdb7c968af5304a0d77ea4a4571afa79e76c74684dd6e028fb65b26ff9e66e76d21400d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s3enpauj.0.cs
Filesize
208KB

MD5
8f4c8b3dd6336c0546193d256cbac0c0

SHA1
449cf6bbf8f71440dc38678e9fc31647e275e3f2

SHA256
4ae388412be71535e6d23185eac1bde10ac2de9f3f3a7afbfbd30ebdbfd53f61

SHA512
938c6c8f929991d08101a94d47704ae814871d09c96077175eeea041e68905bdbc5bab46ef169e8ec5988c6a1d5f80ec232bc9051a71b3a7a5a2d9f5237f0ed7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s3enpauj.cmdline
Filesize
349B

MD5
e0931a488c8724f5226896535c2630d4

SHA1
a5bfa928e736ab1bca29040218153c1108842d50

SHA256
a219902cb60b3c2ed5c8a0aa782bdb4a4e2dfe24ed4c8050d6ff9e530f5b93eb

SHA512
51d52fc852582534e81e05f229151fe9a9e79af7eff8b1b49ba31c8fec234b3124d4fc008a4a0df7a98c06b68ece26dda29fb5681f76be6cfd67f1686227d2de

Download Submit
memory/372-70-0x000000001CE30000-0x000000001CE46000-memory.dmp

Filesize
88KB

Download
memory/372-56-0x000000001C210000-0x000000001C6DE000-memory.dmp

Filesize
4.8MB

Download
memory/372-55-0x000000001BC20000-0x000000001BC2E000-memory.dmp

Filesize
56KB

Download
memory/372-52-0x000000001BB30000-0x000000001BB8C000-memory.dmp

Filesize
368KB

Download
memory/372-57-0x000000001C780000-0x000000001C81C000-memory.dmp

Filesize
624KB

Download
memory/372-72-0x000000001BA90000-0x000000001BAA2000-memory.dmp

Filesize
72KB

Download
memory/372-73-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

Filesize
32KB

Download
memory/372-74-0x000000001CE70000-0x000000001CE90000-memory.dmp

Filesize
128KB

Download
memory/1520-95-0x0000000019DE0000-0x0000000019EEA000-memory.dmp

Filesize
1.0MB

Download
memory/2100-113-0x000000001B430000-0x000000001B442000-memory.dmp

Filesize
72KB

Download
memory/2100-112-0x00000000007F0000-0x00000000008DC000-memory.dmp

Filesize
944KB

Download
memory/2100-118-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/2100-117-0x000000001BD80000-0x000000001BF42000-memory.dmp

Filesize
1.8MB

Download
memory/2100-116-0x000000001BA40000-0x000000001BA58000-memory.dmp

Filesize
96KB

Download
memory/2100-114-0x000000001B440000-0x000000001B48E000-memory.dmp

Filesize
312KB

Download
memory/3980-0-0x00007FFF6BAF3000-0x00007FFF6BAF5000-memory.dmp

Filesize
8KB

Download
memory/3980-51-0x00007FFF6BAF0000-0x00007FFF6C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-3-0x00007FFF6BAF0000-0x00007FFF6C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-1-0x0000000000240000-0x00000000006DA000-memory.dmp

Filesize
4.6MB

Download
memory/4048-132-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/4108-90-0x00000000028F0000-0x000000000292C000-memory.dmp

Filesize
240KB

Download
memory/4108-89-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4108-88-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/5064-35-0x00000135FC090000-0x00000135FC0B2000-memory.dmp

Filesize
136KB

Download