orcus | 803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe
Size

3.0MB
MD5

1c442246340be6c7f7d70150c5626ffd
SHA1

f74d1e6721db9163a7746755633b2a11aa064448
SHA256

803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43
SHA512

cf081aa1c10b2614bf10d54eff218bbb09b52d76b30a900411df3490fbb0ffa3134c66826315e681a42bee52ba433924005efc4393a6423bfd433b01e80929aa
SSDEEP

49152:V+LEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmvwsrZz:V+LtODUKTslWp2MpbfGGilIJPypSbxEl

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

127.0.0.1:10134

Mutex

0ece821d7cdc4863af5a95c1f4a79898

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
Temp\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234e3-238.dat	family_orcus
behavioral2/files/0x000300000001e73b-243.dat	family_orcus

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral2/memory/5108-39-0x000000001DCB0000-0x000000001DFAE000-memory.dmp	orcus
behavioral2/files/0x00080000000234e3-238.dat	orcus
behavioral2/files/0x000300000001e73b-243.dat	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	Orcus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	OrcusWatchdog.exe

Executes dropped EXE 4 IoCs

pid	Process
2808	Orcus.exe
916	Orcus.exe
2072	OrcusWatchdog.exe
2908	OrcusWatchdog.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe
2808	Orcus.exe
2908	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	Orcus.exe
Token: SeDebugPrivilege	2072	OrcusWatchdog.exe
Token: SeDebugPrivilege	2908	OrcusWatchdog.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 2972	5108	803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe	84
PID 5108 wrote to memory of 2972	5108	803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe	84
PID 2972 wrote to memory of 3480	2972	csc.exe	86
PID 2972 wrote to memory of 3480	2972	csc.exe	86
PID 5108 wrote to memory of 2808	5108	803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe	101
PID 5108 wrote to memory of 2808	5108	803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe	101
PID 2808 wrote to memory of 2072	2808	Orcus.exe	103
PID 2808 wrote to memory of 2072	2808	Orcus.exe	103
PID 2808 wrote to memory of 2072	2808	Orcus.exe	103
PID 2072 wrote to memory of 2908	2072	OrcusWatchdog.exe	104
PID 2072 wrote to memory of 2908	2072	OrcusWatchdog.exe	104
PID 2072 wrote to memory of 2908	2072	OrcusWatchdog.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe
"C:\Users\Admin\AppData\Local\Temp\803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wys6g0-n.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB68F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB68E.tmp"
    3⤵
    PID:3480
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2808
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2808
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
1c442246340be6c7f7d70150c5626ffd

SHA1
f74d1e6721db9163a7746755633b2a11aa064448

SHA256
803776c8b23ad99dbd923575c31303896d5d00b431d712bef1594369ddd57c43

SHA512
cf081aa1c10b2614bf10d54eff218bbb09b52d76b30a900411df3490fbb0ffa3134c66826315e681a42bee52ba433924005efc4393a6423bfd433b01e80929aa

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1460.exe

Filesize
3.0MB

MD5
1e03f7964093b61bd06d3d93a1a23840

SHA1
b249fc42263fb0b5d4f6821de36981efb5ea1055

SHA256
6d884a0ecfe3112cae0349c92ba7c17c2d2928fdb8e01ae5a2277d6e47b17b9f

SHA512
e2793c44a686d1e1361131e89b0f4d89846a1261ecbaa6712b25f9f30b39385755267283280d98314112335cdbf6c8abf6d4e52c5b330706453914ef0e83c718

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

Filesize
9KB

MD5
7a195b6c9de2d5cab015f649da6931a1

SHA1
89f7372dd92a90a8e13b74ee512b464412e4cf9b

SHA256
30183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc

SHA512
3c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB68F.tmp

Filesize
1KB

MD5
c64681e50e0c828c74abb10a31fb9d7d

SHA1
a3661ff38a8198701b14a4f9a33d3340796b93a7

SHA256
804e9ae7a0798654b4c11d997dc40614a0c214dac5a8f30b9e1acab93fbfe04c

SHA512
6c99f9072039e2766261396a959a65222bdd460944fcec1da2987994a39c68cbcc191925f1120cec2c056bfe5b8e06ad0dcb2ee77494223ecaba76b5ad9cad19

Download Submit
C:\Users\Admin\AppData\Local\Temp\wys6g0-n.dll

Filesize
76KB

MD5
d11fed11d528a8a5cc8cad8a1407bb36

SHA1
383d07d1de485446890121d5a5b7751f72cd239e

SHA256
694f672312bd7770a6245fcf512c9185e679c399a22a767bd9e3ee0fcd49c30c

SHA512
07aba703c905002c8115e4fb18a8fbe7fa49c4d8a8624f2df93e101bcbac7f0671666c2e31f1ac66c39b839fdd739e6bcf2303a8bd1fc5e93332fed71b480c35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB68E.tmp

Filesize
676B

MD5
6e633ea820c157f548eab50390af5a6c

SHA1
4bd355b2aa47f05b42a41fa629d1aa1a86ad9138

SHA256
48512a9294bbefc05f0fda29c408dea3f42088484473f59d9b85d64df4bdd167

SHA512
e5adc9ed6b4ff74e6adae8a571c29f32b23bc0497547ffb1ac5e27e217d82653cee6f9693e9b3d1d62395985721fe096846e2707ec048f904266819b2e466a8d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wys6g0-n.0.cs

Filesize
208KB

MD5
fef9663ec6866f04e9b7a00685eb136b

SHA1
4951b4d83297a6a96ad0610f5f5ca7dedf63af76

SHA256
3a79dfee7ffa5a851d6bf80e8e6e9f99cf597894bd57b1b596d55287b3674f8a

SHA512
0d7fad474f358189abf830e4f9148ae9cf6d4018d0b385d22d96b5d06660878918d09b37ab8e8471a7a958e76bfa03ef6145958e1c958251e81047a6ec6f8d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wys6g0-n.cmdline

Filesize
349B

MD5
e2b8e79dc571d661289a75d3a66f18a8

SHA1
d55e50d5169eaa11354db521bff33330691e1ca3

SHA256
7f48031a2f742b5e7abf29e84d21b6469ed3c5000d34596bc3f17ac76d7c7875

SHA512
1a36f5de7184f224dc50d98bf4fcde4a7c95d3f93faab92a6d4641903035ec5e5b533dbbda27d837b1c24f7d399672b23d5622dcd8e7bade7e66e684d05b6e06

Download Submit
memory/2972-14-0x00007FFEF9940000-0x00007FFEFA2E1000-memory.dmp

Filesize
9.6MB

Download
memory/2972-19-0x00007FFEF9940000-0x00007FFEFA2E1000-memory.dmp

Filesize
9.6MB

Download
memory/5108-70-0x000000001D1A0000-0x000000001D1AE000-memory.dmp

Filesize
56KB

Download
memory/5108-41-0x000000001D430000-0x000000001D450000-memory.dmp

Filesize
128KB

Download
memory/5108-21-0x000000001CDC0000-0x000000001CDD6000-memory.dmp

Filesize
88KB

Download
memory/5108-5-0x000000001C250000-0x000000001C71E000-memory.dmp

Filesize
4.8MB

Download
memory/5108-23-0x000000001C8A0000-0x000000001C8B2000-memory.dmp

Filesize
72KB

Download
memory/5108-24-0x000000001C880000-0x000000001C888000-memory.dmp

Filesize
32KB

Download
memory/5108-25-0x000000001C8C0000-0x000000001C8C8000-memory.dmp

Filesize
32KB

Download
memory/5108-30-0x000000001CDF0000-0x000000001CDFE000-memory.dmp

Filesize
56KB

Download
memory/5108-31-0x000000001D150000-0x000000001D1D4000-memory.dmp

Filesize
528KB

Download
memory/5108-32-0x000000001D160000-0x000000001D168000-memory.dmp

Filesize
32KB

Download
memory/5108-33-0x000000001D420000-0x000000001D428000-memory.dmp

Filesize
32KB

Download
memory/5108-34-0x000000001D420000-0x000000001D428000-memory.dmp

Filesize
32KB

Download
memory/5108-35-0x000000001D420000-0x000000001D42C000-memory.dmp

Filesize
48KB

Download
memory/5108-36-0x000000001D420000-0x000000001D42A000-memory.dmp

Filesize
40KB

Download
memory/5108-37-0x000000001D440000-0x000000001D470000-memory.dmp

Filesize
192KB

Download
memory/5108-38-0x000000001D9B0000-0x000000001DA24000-memory.dmp

Filesize
464KB

Download
memory/5108-39-0x000000001DCB0000-0x000000001DFAE000-memory.dmp

Filesize
3.0MB

Download
memory/5108-76-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-42-0x000000001D420000-0x000000001D42E000-memory.dmp

Filesize
56KB

Download
memory/5108-43-0x000000001D9B0000-0x000000001DA44000-memory.dmp

Filesize
592KB

Download
memory/5108-44-0x0000000140000000-0x0000000140031000-memory.dmp

Filesize
196KB

Download
memory/5108-50-0x000000001D400000-0x000000001D418000-memory.dmp

Filesize
96KB

Download
memory/5108-51-0x000000001D400000-0x000000001D416000-memory.dmp

Filesize
88KB

Download
memory/5108-52-0x000000001D430000-0x000000001D45A000-memory.dmp

Filesize
168KB

Download
memory/5108-53-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

Filesize
32KB

Download
memory/5108-54-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-55-0x000000001D400000-0x000000001D420000-memory.dmp

Filesize
128KB

Download
memory/5108-75-0x000000001D1A0000-0x000000001D1AA000-memory.dmp

Filesize
40KB

Download
memory/5108-57-0x000000001D440000-0x000000001D480000-memory.dmp

Filesize
256KB

Download
memory/5108-58-0x000000001D440000-0x000000001D47E000-memory.dmp

Filesize
248KB

Download
memory/5108-59-0x000000001D430000-0x000000001D45C000-memory.dmp

Filesize
176KB

Download
memory/5108-77-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-61-0x000000001D1A0000-0x000000001D1AA000-memory.dmp

Filesize
40KB

Download
memory/5108-62-0x000000001D430000-0x000000001D454000-memory.dmp

Filesize
144KB

Download
memory/5108-63-0x000000001D430000-0x000000001D458000-memory.dmp

Filesize
160KB

Download
memory/5108-64-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-65-0x000000001D1A0000-0x000000001D1AA000-memory.dmp

Filesize
40KB

Download
memory/5108-66-0x000000001D400000-0x000000001D41E000-memory.dmp

Filesize
120KB

Download
memory/5108-67-0x000000001D400000-0x000000001D41E000-memory.dmp

Filesize
120KB

Download
memory/5108-68-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

Filesize
32KB

Download
memory/5108-69-0x000000001D1A0000-0x000000001D1AA000-memory.dmp

Filesize
40KB

Download
memory/5108-4-0x00007FFEF9940000-0x00007FFEFA2E1000-memory.dmp

Filesize
9.6MB

Download
memory/5108-71-0x000000001D400000-0x000000001D414000-memory.dmp

Filesize
80KB

Download
memory/5108-72-0x000000001D1A0000-0x000000001D1B0000-memory.dmp

Filesize
64KB

Download
memory/5108-73-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-74-0x000000001D430000-0x000000001D458000-memory.dmp

Filesize
160KB

Download
memory/5108-56-0x000000001D430000-0x000000001D456000-memory.dmp

Filesize
152KB

Download
memory/5108-6-0x000000001C7C0000-0x000000001C85C000-memory.dmp

Filesize
624KB

Download
memory/5108-60-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

Filesize
32KB

Download
memory/5108-78-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-79-0x000000001D400000-0x000000001D414000-memory.dmp

Filesize
80KB

Download
memory/5108-80-0x000000001D400000-0x000000001D418000-memory.dmp

Filesize
96KB

Download
memory/5108-81-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-82-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-83-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-84-0x000000001D1A0000-0x000000001D1B0000-memory.dmp

Filesize
64KB

Download
memory/5108-85-0x000000001D1A0000-0x000000001D1AE000-memory.dmp

Filesize
56KB

Download
memory/5108-86-0x000000001D430000-0x000000001D452000-memory.dmp

Filesize
136KB

Download
memory/5108-87-0x000000001D400000-0x000000001D41C000-memory.dmp

Filesize
112KB

Download
memory/5108-88-0x000000001D400000-0x000000001D414000-memory.dmp

Filesize
80KB

Download
memory/5108-89-0x000000001D400000-0x000000001D41A000-memory.dmp

Filesize
104KB

Download
memory/5108-90-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-91-0x000000001D1A0000-0x000000001D1AE000-memory.dmp

Filesize
56KB

Download
memory/5108-92-0x000000001D400000-0x000000001D418000-memory.dmp

Filesize
96KB

Download
memory/5108-93-0x000000001D400000-0x000000001D412000-memory.dmp

Filesize
72KB

Download
memory/5108-94-0x000000001D1A0000-0x000000001D1AE000-memory.dmp

Filesize
56KB

Download
memory/5108-95-0x000000001D1A0000-0x000000001D1AA000-memory.dmp

Filesize
40KB

Download
memory/5108-96-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

Filesize
32KB

Download
memory/5108-97-0x000000001D400000-0x000000001D41C000-memory.dmp

Filesize
112KB

Download
memory/5108-98-0x000000001D400000-0x000000001D41C000-memory.dmp

Filesize
112KB

Download
memory/5108-99-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

Filesize
32KB

Download
memory/5108-100-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

Filesize
32KB

Download
memory/5108-101-0x000000001D1A0000-0x000000001D1A8000-memory.dmp

Filesize
32KB

Download
memory/5108-102-0x000000001D1A0000-0x000000001D1AE000-memory.dmp

Filesize
56KB

Download
memory/5108-103-0x000000001D400000-0x000000001D412000-memory.dmp

Filesize
72KB

Download
memory/5108-104-0x000000001D1A0000-0x000000001D1AE000-memory.dmp

Filesize
56KB

Download
memory/5108-105-0x000000001D1A0000-0x000000001D1AA000-memory.dmp

Filesize
40KB

Download
memory/5108-106-0x000000001D430000-0x000000001D45A000-memory.dmp

Filesize
168KB

Download
memory/5108-107-0x000000001D430000-0x000000001D458000-memory.dmp

Filesize
160KB

Download
memory/5108-108-0x000000001D400000-0x000000001D41E000-memory.dmp

Filesize
120KB

Download
memory/5108-109-0x000000001D430000-0x000000001D456000-memory.dmp

Filesize
152KB

Download
memory/5108-110-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-111-0x000000001D1A0000-0x000000001D1AA000-memory.dmp

Filesize
40KB

Download
memory/5108-112-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-113-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-114-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-115-0x000000001D400000-0x000000001D414000-memory.dmp

Filesize
80KB

Download
memory/5108-116-0x000000001D400000-0x000000001D418000-memory.dmp

Filesize
96KB

Download
memory/5108-117-0x000000001D1A0000-0x000000001D1AE000-memory.dmp

Filesize
56KB

Download
memory/5108-118-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/5108-119-0x000000001D400000-0x000000001D420000-memory.dmp

Filesize
128KB

Download
memory/5108-137-0x000000001D1E0000-0x000000001D26E000-memory.dmp

Filesize
568KB

Download
memory/5108-3-0x000000001B910000-0x000000001B91E000-memory.dmp

Filesize
56KB

Download
memory/5108-2-0x000000001B960000-0x000000001B9BC000-memory.dmp

Filesize
368KB

Download
memory/5108-1-0x00007FFEF9940000-0x00007FFEFA2E1000-memory.dmp

Filesize
9.6MB

Download
memory/5108-0-0x00007FFEF9BF5000-0x00007FFEF9BF6000-memory.dmp

Filesize
4KB

Download