orcus | d55cb8d9ad30078be362414186e4e065394430c3c0b0fa83f06922f59d288a63

Analysis

max time kernel
574s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240802-ja
resource tags

arch:x64arch:x86image:win10v2004-20240802-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19/09/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

example.exe
Size

903KB
MD5

de87df65430d0f19436429db542fe5b0
SHA1

bd4026365cbb6d4a7ea8b17a8fea83ab2e7a6037
SHA256

d55cb8d9ad30078be362414186e4e065394430c3c0b0fa83f06922f59d288a63
SHA512

325a50723fbcf82df0a22bc7c68177bd7f9df25a155f204439a27d9aafcd089a8963020b4f8800da8bd444ec7481b5976f717ef7630aa2588dc9cb95c6c46c02
SSDEEP

12288:sTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBO:CqI4MROxnFMLqrZlI0AilFEvxHi5B

Score

10^/10

orcus evasion ransomware rat spyware stealer

Malware Config

Extracted

Family

orcus

text-eating.gl.at.ply.gg:52982

Mutex

8fd8dcabe5d849ad96f2d6e189ef12c1

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023461-36.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023461-36.dat	orcus
behavioral2/memory/2496-45-0x0000000000C70000-0x0000000000D58000-memory.dmp	orcus

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	example.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	Orcus.exe

Loads dropped DLL 1 IoCs

pid	Process
2496	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	example.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	example.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	Orcus.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	example.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	example.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	example.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	example.exe
File created	C:\Windows\assembly\Desktop.ini	example.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	example.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Orcus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Orcus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\WallpaperStyle = "1"	Orcus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\TileWallpaper = "1"	Orcus.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4672	WINWORD.EXE
4672	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	Orcus.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe
2496	Orcus.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2496	Orcus.exe
2496	Orcus.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE
4672	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 4424	4556	example.exe	83
PID 4556 wrote to memory of 4424	4556	example.exe	83
PID 4424 wrote to memory of 4848	4424	csc.exe	85
PID 4424 wrote to memory of 4848	4424	csc.exe	85
PID 4556 wrote to memory of 2496	4556	example.exe	91
PID 4556 wrote to memory of 2496	4556	example.exe	91
PID 2496 wrote to memory of 4764	2496	Orcus.exe	101
PID 2496 wrote to memory of 4764	2496	Orcus.exe	101
PID 2496 wrote to memory of 3996	2496	Orcus.exe	103
PID 2496 wrote to memory of 3996	2496	Orcus.exe	103

C:\Users\Admin\AppData\Local\Temp\example.exe
"C:\Users\Admin\AppData\Local\Temp\example.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dgfswzum.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA21D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA21C.tmp"
    3⤵
    PID:4848
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - Checks processor information in registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{91939e66-fadc-4fa5-8ee2-fab0755f33ea}.bat""
    3⤵
    PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{e1380002-1ea4-4582-acc0-56c7da2d9786}.bat""
    3⤵
    PID:3996

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RenameCompress.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
de87df65430d0f19436429db542fe5b0

SHA1
bd4026365cbb6d4a7ea8b17a8fea83ab2e7a6037

SHA256
d55cb8d9ad30078be362414186e4e065394430c3c0b0fa83f06922f59d288a63

SHA512
325a50723fbcf82df0a22bc7c68177bd7f9df25a155f204439a27d9aafcd089a8963020b4f8800da8bd444ec7481b5976f717ef7630aa2588dc9cb95c6c46c02

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA21D.tmp

Filesize
1KB

MD5
459e8035f15f4a841241500e645f7726

SHA1
6a1c181759868eac2e18830d31ca30a6ec6404a7

SHA256
37646e12898a36e51e00a8179e4c9030a90289fd9fa963fb6d539973f4ce6a70

SHA512
f9be13fb85dc91f59727d122cf5a51aa1ecb2fef8d926c748e8e2e625cdae4bfc8f93bce4ed1fae8f82f5a7bd62a21880f11a4232b6147d7575c1df9873d5522

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA8A2.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgfswzum.dll

Filesize
76KB

MD5
fb1c718b027da5edbba5ad24655d858a

SHA1
4f222ce40a695a5b3f20ec6ca6cbaf06bae0a625

SHA256
742f78e8f9fc07207d6bb1d7a719d05b0bfc0a2a7794df6066d91b5845ec3e85

SHA512
405b564a4e5a82f0866a5516786a6efa4b0113e1c787e50c7b2c5f77d64d17c8764dacffdd25a1bd52225c72d0f4c59e0bcc7b396034e800b56482dd733621de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{91939e66-fadc-4fa5-8ee2-fab0755f33ea}.bat

Filesize
103B

MD5
ba019dae26b170d41d40b8fbf4cec751

SHA1
a68501fb52b2e6bc913306fe2650d4275de37894

SHA256
67918d6fdd118af0774b06faa3e1a88c4c5231a6d4b0c9df67a6cf061be5d130

SHA512
7378fdcf5bace5fef6d7ab5408863a7164fd92c9b06afc7334015eaf1620f87b09cdfe0d9ba202e77524e7608f27ffb7fea9c7be3f38eac37092e89c1c29e652

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
278B

MD5
bc07e1ba82e3c01f506e35f8ce74f484

SHA1
0adcc4220725dcdeb6e1ea11cdf390b714f80e56

SHA256
c3930ccffbe35ebb4d32d97b980f6e504262ce6e97e5159a2ead711f347ed789

SHA512
26fefc020a9cc655977a383b8a4436dccbeae14b41630da19d185c4a85ca730130141b110195f94480aa3d216e19e248f237f27577cb1dbcbc12af1576b894ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
426493224afc3cb86d8693effd142a63

SHA1
35d110f1f1aa421aa8cb27b9f9d6d81202c359cd

SHA256
80190f49c5f05eccb889801370475b82027b15a9b1b5b90017f3758603c3f0f2

SHA512
ab8501fa32f32fa561446a9cc7077993c64b152d1f53d1b73960b0054f2450c2dd4bf7e51a7440f352591a00029a9b744d023183e293b165df442cf641c5b975

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
8ab7bded0a33cc7b0b5493f35673c18d

SHA1
7cb8dc38fc668d523294991913b253486a164b46

SHA256
113b77d7fb440573984a9753cfc9e04a61db1b6a01d169ba19bae4eead6513da

SHA512
9c3f99b8baad2012248f726b5347aab09f0a1d219cfec2cb474b71dfb950eff6b64d9b8ac47684f9a6a9c524b89f097d4b1a03daea505a1c88fc69f234bdbc08

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_8fd8dcabe5d849ad96f2d6e189ef12c1\CSCore.dll

Filesize
516KB

MD5
dde3ec6e17bc518b10c99efbd09ab72e

SHA1
a2306e60b74b8a01a0dbc1199a7fffca288f2033

SHA256
60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8

SHA512
09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_8fd8dcabe5d849ad96f2d6e189ef12c1\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_8fd8dcabe5d849ad96f2d6e189ef12c1\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_8fd8dcabe5d849ad96f2d6e189ef12c1\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_8fd8dcabe5d849ad96f2d6e189ef12c1\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_8fd8dcabe5d849ad96f2d6e189ef12c1\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_8fd8dcabe5d849ad96f2d6e189ef12c1\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA21C.tmp

Filesize
676B

MD5
8fb29f242f88e9d1a39fccee453609e7

SHA1
bf343caf5368d12c2f16754071f68684de225f60

SHA256
c8a4f19779fb049a97ede3d85a10a4c98f7e907349daf3fb4fad5d748a63c8cb

SHA512
d48c9d16d1d257422d6db7221347d6ae770bc31ad8961859ba9ccdb3a8db03d4e95c1a9c3f79d3c424b1f17b040780962c99a569eec73aebe0e9f5385ec7506b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgfswzum.0.cs

Filesize
208KB

MD5
ec2be20be7a53505df15fde341b1e504

SHA1
6c6cfe9dbfb6d0c749263bc3fd01be7449f4f9fa

SHA256
11c7ad7b72dc5e909918953344c809b4c6130dec4d33ce5a366523f616f9f9f3

SHA512
95e2fc972a384349feae3470eaf4c2a471b471ded27a527974c607e769359c4b88d6044067cf6ec046eb0df4dc9b8aabb80d082f3165a6fd07bf5826846c6b1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgfswzum.cmdline

Filesize
349B

MD5
f02e18ebd7e1b52e560e5582c720b065

SHA1
af07e15285058773ad46d0600d4db35c076cb6ac

SHA256
49125d581b6366bb42efab83f2e90068b631ea1026c28f0a27b0d963bc016a1c

SHA512
2964435fac357347b30979f7c87a7108e7d3962e3a74c5de5eec426e2f21435477bc17b7a46a3ab190b0dba29c4b967647e61bfc1d1b0a88aed7dfcbac02bb1a

Download Submit
memory/2496-76-0x000000001C200000-0x000000001C226000-memory.dmp

Filesize
152KB

Download
memory/2496-61-0x000000001BE60000-0x000000001BEA4000-memory.dmp

Filesize
272KB

Download
memory/2496-328-0x000000001BF80000-0x000000001BFC8000-memory.dmp

Filesize
288KB

Download
memory/2496-47-0x0000000002FD0000-0x0000000002FE2000-memory.dmp

Filesize
72KB

Download
memory/2496-48-0x0000000002FE0000-0x0000000002FF8000-memory.dmp

Filesize
96KB

Download
memory/2496-49-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/2496-52-0x000000001C900000-0x000000001C912000-memory.dmp

Filesize
72KB

Download
memory/2496-53-0x000000001C960000-0x000000001C99C000-memory.dmp

Filesize
240KB

Download
memory/2496-54-0x000000001C9F0000-0x000000001CA40000-memory.dmp

Filesize
320KB

Download
memory/2496-55-0x000000001CB50000-0x000000001CC5A000-memory.dmp

Filesize
1.0MB

Download
memory/2496-56-0x000000001CC60000-0x000000001CD06000-memory.dmp

Filesize
664KB

Download
memory/2496-57-0x000000001CD10000-0x000000001CE1E000-memory.dmp

Filesize
1.1MB

Download
memory/2496-58-0x000000001CFF0000-0x000000001D1B2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-45-0x0000000000C70000-0x0000000000D58000-memory.dmp

Filesize
928KB

Download
memory/2496-66-0x000000001BEB0000-0x000000001BEFA000-memory.dmp

Filesize
296KB

Download
memory/2496-71-0x000000001C260000-0x000000001C2BA000-memory.dmp

Filesize
360KB

Download
memory/2496-331-0x000000001BF40000-0x000000001BF4C000-memory.dmp

Filesize
48KB

Download
memory/2496-81-0x000000001D1C0000-0x000000001D314000-memory.dmp

Filesize
1.3MB

Download
memory/2496-326-0x000000001DA20000-0x000000001DBB0000-memory.dmp

Filesize
1.6MB

Download
memory/2496-325-0x000000001DBC0000-0x000000001E0E8000-memory.dmp

Filesize
5.2MB

Download
memory/2496-336-0x000000001BD30000-0x000000001BD46000-memory.dmp

Filesize
88KB

Download
memory/2496-348-0x000000001D620000-0x000000001D66A000-memory.dmp

Filesize
296KB

Download
memory/2496-294-0x000000001E4D0000-0x000000001E5AA000-memory.dmp

Filesize
872KB

Download
memory/2496-289-0x000000001E440000-0x000000001E4C6000-memory.dmp

Filesize
536KB

Download
memory/2496-286-0x000000001D320000-0x000000001D3CA000-memory.dmp

Filesize
680KB

Download
memory/2496-347-0x000000001D3D0000-0x000000001D522000-memory.dmp

Filesize
1.3MB

Download
memory/4424-16-0x00007FFC05570000-0x00007FFC05F11000-memory.dmp

Filesize
9.6MB

Download
memory/4424-21-0x00007FFC05570000-0x00007FFC05F11000-memory.dmp

Filesize
9.6MB

Download
memory/4556-27-0x00007FFC05570000-0x00007FFC05F11000-memory.dmp

Filesize
9.6MB

Download
memory/4556-28-0x000000001FCB0000-0x000000001FD0A000-memory.dmp

Filesize
360KB

Download
memory/4556-1-0x00007FFC05570000-0x00007FFC05F11000-memory.dmp

Filesize
9.6MB

Download
memory/4556-2-0x00007FFC05570000-0x00007FFC05F11000-memory.dmp

Filesize
9.6MB

Download
memory/4556-3-0x000000001B450000-0x000000001B4AC000-memory.dmp

Filesize
368KB

Download
memory/4556-6-0x000000001B680000-0x000000001B68E000-memory.dmp

Filesize
56KB

Download
memory/4556-7-0x000000001BB60000-0x000000001C02E000-memory.dmp

Filesize
4.8MB

Download
memory/4556-8-0x000000001C0D0000-0x000000001C16C000-memory.dmp

Filesize
624KB

Download
memory/4556-23-0x000000001C1F0000-0x000000001C206000-memory.dmp

Filesize
88KB

Download
memory/4556-25-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/4556-26-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/4556-0-0x00007FFC05825000-0x00007FFC05826000-memory.dmp

Filesize
4KB

Download
memory/4556-46-0x00007FFC05570000-0x00007FFC05F11000-memory.dmp

Filesize
9.6MB

Download
memory/4672-322-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-84-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-87-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-86-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-320-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-321-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-90-0x00007FFBE1EF0000-0x00007FFBE1F00000-memory.dmp

Filesize
64KB

Download
memory/4672-323-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-85-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-88-0x00007FFBE4750000-0x00007FFBE4760000-memory.dmp

Filesize
64KB

Download
memory/4672-89-0x00007FFBE1EF0000-0x00007FFBE1F00000-memory.dmp

Filesize
64KB

Download