orcus | 860a91929d180d1793d22d43b7815e0b0ef5dcdd74a235427c7063b15b141724

Analysis

max time kernel
157s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
Size

910KB
MD5

c7fdf7d3486fad12c07ac3a3da853fca
SHA1

4f1239e364ba469d8252dd17c25fdfc2f096eb65
SHA256

131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e
SHA512

7d8cc340b3e2d059744457d95ecea7e4f1f6a80be508a86125a418782da5b06bd62106a44830825b9fda501bd6c4099487729d3120c111a60766e2bee5890292
SSDEEP

24576:keu4MROxnFf3xsPekrZlI0AilFEvxHith4:ketMidsrZlI0AilFEvxHit

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

45.81.39.83:3456

Mutex

4912f043b8a245f39167b534cb611529

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 4 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2776-134-0x0000000000F40000-0x000000000102A000-memory.dmp	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exeOrcus.exeOrcusWatchdog.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Orcus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	OrcusWatchdog.exe

Executes dropped EXE 4 IoCs

Processes:

Orcus.exeOrcus.exeOrcusWatchdog.exeOrcusWatchdog.exe

pid process

3348 Orcus.exe
2856 Orcus.exe
2280 OrcusWatchdog.exe
4340 OrcusWatchdog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Orcus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe

Drops file in Program Files directory 3 IoCs

Processes:

131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe

Drops file in Windows directory 3 IoCs

Processes:

131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
File opened for modification	C:\Windows\assembly	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Orcus.exeOrcusWatchdog.exe

pid	process
3348	Orcus.exe
3348	Orcus.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
4340	OrcusWatchdog.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe
4340	OrcusWatchdog.exe
3348	Orcus.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Orcus.exeOrcusWatchdog.exeOrcusWatchdog.exe

description pid process

Token: SeDebugPrivilege 3348 Orcus.exe
Token: SeDebugPrivilege 2280 OrcusWatchdog.exe
Token: SeDebugPrivilege 4340 OrcusWatchdog.exe

description	pid	process
Token: SeDebugPrivilege	3348	Orcus.exe
Token: SeDebugPrivilege	2280	OrcusWatchdog.exe
Token: SeDebugPrivilege	4340	OrcusWatchdog.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.execsc.exeOrcus.exeOrcusWatchdog.exe

description	pid	process	target process
PID 2776 wrote to memory of 1564	2776	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe	csc.exe
PID 2776 wrote to memory of 1564	2776	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe	csc.exe
PID 1564 wrote to memory of 716	1564	csc.exe	cvtres.exe
PID 1564 wrote to memory of 716	1564	csc.exe	cvtres.exe
PID 2776 wrote to memory of 3348	2776	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe	Orcus.exe
PID 2776 wrote to memory of 3348	2776	131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe	Orcus.exe
PID 3348 wrote to memory of 2280	3348	Orcus.exe	OrcusWatchdog.exe
PID 3348 wrote to memory of 2280	3348	Orcus.exe	OrcusWatchdog.exe
PID 3348 wrote to memory of 2280	3348	Orcus.exe	OrcusWatchdog.exe
PID 2280 wrote to memory of 4340	2280	OrcusWatchdog.exe	OrcusWatchdog.exe
PID 2280 wrote to memory of 4340	2280	OrcusWatchdog.exe	OrcusWatchdog.exe
PID 2280 wrote to memory of 4340	2280	OrcusWatchdog.exe	OrcusWatchdog.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
"C:\Users\Admin\AppData\Local\Temp\131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\weilgybo.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAE5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDAE4.tmp"
3⤵
PID:716

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 3348 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 3348 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
910KB

MD5
c7fdf7d3486fad12c07ac3a3da853fca

SHA1
4f1239e364ba469d8252dd17c25fdfc2f096eb65

SHA256
131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e

SHA512
7d8cc340b3e2d059744457d95ecea7e4f1f6a80be508a86125a418782da5b06bd62106a44830825b9fda501bd6c4099487729d3120c111a60766e2bee5890292

Download Submit
C:\Program Files\Orcus\Orcus.exe

Filesize
910KB

MD5
c7fdf7d3486fad12c07ac3a3da853fca

SHA1
4f1239e364ba469d8252dd17c25fdfc2f096eb65

SHA256
131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e

SHA512
7d8cc340b3e2d059744457d95ecea7e4f1f6a80be508a86125a418782da5b06bd62106a44830825b9fda501bd6c4099487729d3120c111a60766e2bee5890292

Download Submit
C:\Program Files\Orcus\Orcus.exe

Filesize
910KB

MD5
c7fdf7d3486fad12c07ac3a3da853fca

SHA1
4f1239e364ba469d8252dd17c25fdfc2f096eb65

SHA256
131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e

SHA512
7d8cc340b3e2d059744457d95ecea7e4f1f6a80be508a86125a418782da5b06bd62106a44830825b9fda501bd6c4099487729d3120c111a60766e2bee5890292

Download Submit
C:\Program Files\Orcus\Orcus.exe

Filesize
910KB

MD5
c7fdf7d3486fad12c07ac3a3da853fca

SHA1
4f1239e364ba469d8252dd17c25fdfc2f096eb65

SHA256
131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e

SHA512
7d8cc340b3e2d059744457d95ecea7e4f1f6a80be508a86125a418782da5b06bd62106a44830825b9fda501bd6c4099487729d3120c111a60766e2bee5890292

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDAE5.tmp

Filesize
1KB

MD5
e4e356004aadde288329e5ebeee52f2c

SHA1
972d2e92fb078e478a2a63fb60dabae2d5e14f8b

SHA256
798afa3405b9b35dfb022b0fe36e191a04d2af3eaf6404358d0fae0b86e8bd28

SHA512
dc1469c3426f0ec6bf75277232098c43eda3ded1e9eabad93e54c4793b9e1ecb9991103c53ac6da7a50025b11978d7a5e9eb63579ea6178b250cd8349572f9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\weilgybo.dll

Filesize
76KB

MD5
5f19a73383e5f3b22cb358dc5006b461

SHA1
6a6969eb918e217867f42a99e8a13966f5aeca3b

SHA256
f21a12372ac74f4c53b88ada333b8a356aec083dae2654af207a188f04decdf8

SHA512
e931a6a4a2c3e7ffb37eb70c3ee98e41b1dd891177a3ef8d1bed7c4ecaa535056cf9a71659c4a957c2aec82d643c303ccc4ee7f18718787dad0c0d094529ec66

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDAE4.tmp

Filesize
676B

MD5
7775a9f70a00eb27afecfaa71d6c3773

SHA1
279bb6e7928687ce48654b8ace6ecd6193056281

SHA256
5c059489cc0df4744288e9db4a6d64518c4547d13e4ede9be51f9043867e6bff

SHA512
4a0313199e4c31a7cebda4ea3700cad3cb048222ee31b076b55b54ac35e2595afe118688e500f12207a7e6f0da94a24cf7d884d16a310296bd3bf422c2de7fda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\weilgybo.0.cs

Filesize
208KB

MD5
6962e84ed3acc6c36c6fd65fd2e59851

SHA1
bd58954739667c48c4390aae5b2348bc8f97c11c

SHA256
a0b33a459c0af382a96418297229bd9fcc23e197da64c1e4a9ffad2f31bf14de

SHA512
161f81a6cf0e382efe8b52f39884540e95635d6ac7677044a4f9968a7fccc7059ee4c842424804dddb451a9d43f716e5301d10071a932cd7fc84608fa2b113d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\weilgybo.cmdline

Filesize
349B

MD5
014dce9b051a82e538bf171af667db27

SHA1
06ff9c74698de9a9f07628eb53449ad39c2935f2

SHA256
ffec394c4937b67dfe067c011da9205898a47465e6c12f6bc1a3edd951de2975

SHA512
dd0eb9ebfe6adec2a62b18d3393362c5e4372f8e945850ce9355ef2e43d0d441933083d4ab9a281261fa9cfd4600eac797dcd52f35c6b524e263a317679bdc98

Download Submit
memory/1564-148-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2280-188-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2776-135-0x000000001BFF0000-0x000000001C04C000-memory.dmp

Filesize
368KB

Download
memory/2776-154-0x000000001C110000-0x000000001C126000-memory.dmp

Filesize
88KB

Download
memory/2776-139-0x000000001D140000-0x000000001D60E000-memory.dmp

Filesize
4.8MB

Download
memory/2776-134-0x0000000000F40000-0x000000000102A000-memory.dmp

Filesize
936KB

Download
memory/2776-138-0x000000001C0D0000-0x000000001C0DE000-memory.dmp

Filesize
56KB

Download
memory/2776-140-0x000000001D6B0000-0x000000001D74C000-memory.dmp

Filesize
624KB

Download
memory/2776-133-0x0000000001A30000-0x0000000001A40000-memory.dmp

Filesize
64KB

Download
memory/2776-157-0x00000000019F0000-0x00000000019F8000-memory.dmp

Filesize
32KB

Download
memory/2776-156-0x0000000001A10000-0x0000000001A22000-memory.dmp

Filesize
72KB

Download
memory/3348-172-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3348-176-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3348-192-0x000000001CB20000-0x000000001CB32000-memory.dmp

Filesize
72KB

Download
memory/3348-193-0x000000001CB80000-0x000000001CBBC000-memory.dmp

Filesize
240KB

Download
memory/3348-194-0x000000001CCD0000-0x000000001CDDA000-memory.dmp

Filesize
1.0MB

Download
memory/3348-195-0x000000001CFB0000-0x000000001D172000-memory.dmp

Filesize
1.8MB

Download
memory/3348-197-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3348-198-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download

pid	process
3348	Orcus.exe
2856	Orcus.exe
2280	OrcusWatchdog.exe
4340	OrcusWatchdog.exe