Malware Analysis Report

2025-03-15 06:51

Sample ID 240108-blmkeshebp
Target c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017
SHA256 c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017

Threat Level: Known bad

The file c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus main payload

Orcus family

Orcurs Rat Executable

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 01:14

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 01:14

Reported

2024-01-08 01:16

Platform

win7-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1636 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1636 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1636 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1636 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1636 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1636 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1636 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1972 wrote to memory of 1676 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1972 wrote to memory of 1676 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1972 wrote to memory of 1676 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1972 wrote to memory of 1676 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1676 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1676 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1676 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1676 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1876 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1876 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1876 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1876 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1508 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1508 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1508 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1508 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Program Files (x86)\Orcus\Orcus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe

"C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchClientAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 1876

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe" /keepAlive 1876

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 1972 "/protectFile"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 1972 /protectFile

Network

Country Destination Domain Proto
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp

Files

memory/1636-0-0x0000000000300000-0x00000000003EC000-memory.dmp

memory/1636-1-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1636-2-0x0000000004AE0000-0x0000000004B20000-memory.dmp

memory/1636-3-0x0000000000270000-0x000000000027E000-memory.dmp

memory/1636-4-0x0000000001FF0000-0x000000000204C000-memory.dmp

memory/1636-5-0x00000000002D0000-0x00000000002E2000-memory.dmp

memory/1636-6-0x00000000002F0000-0x00000000002F8000-memory.dmp

\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2896-16-0x00000000012B0000-0x00000000012BC000-memory.dmp

memory/2896-17-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

memory/2896-18-0x000000001B100000-0x000000001B180000-memory.dmp

memory/2896-21-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

memory/2788-23-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

memory/2788-24-0x0000000019B30000-0x0000000019BB0000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 eda55b1d805e6b26253a93157b45b694
SHA1 418db9fb651d1eb2d45e8b38d0a0214f73bd08ad
SHA256 6efc2cdc9669808ffa192a837240994f3d207aea58f08b82b54ca7d68c2ecd64
SHA512 0a132e6b48986d18a316f774e80131f0c962acf34bfd08ba1cde475933d07d860e547a499f9386dbacd920033bc51681f206e923fe05d65b7641a1be7110192f

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 cd2323f845bf2eebfbdb81e5c43a971a
SHA1 661b213724fbbba3f4066cc02a15c9e898739a8b
SHA256 fa294de68256f62f0d99e88dc8673c739ff96235e942fd545eb0cdf86851cbb0
SHA512 de61b855dcd34be2ff3999be3e1b42e4cf48ba0aa7a327dcc7c5fc4dca8ecefae7aafe26ffd6366fb6e562a4e458faaed72b81ed4388f443cad7084ffb8af053

memory/1972-36-0x0000000000C10000-0x0000000000CFC000-memory.dmp

memory/1972-35-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1972-37-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/1636-34-0x0000000074410000-0x0000000074AFE000-memory.dmp

\Program Files (x86)\Orcus\Orcus.exe

MD5 9ff549c7a1a5a8f0762cf2d9257d8125
SHA1 d7c38c4dff352e61d426a1a897047e7ea5a43624
SHA256 c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017
SHA512 f2cfebf1a0f26fc3e18b818b731c69c4e9899d1d1281b4c4a0ae53432960587f6ad2ec7785c115534a137d80ef4f3046a0641b594ad871738b228b4948a04a17

C:\Users\Admin\AppData\Roaming\Orcus\err_ca3b5495a0294735a710f7cfa066ad39.dat

MD5 0d2c55058766cb9a7186621cc37d939f
SHA1 e4fe609b8dd0c6d787173b362d66a6256ae1a563
SHA256 c2ac47549645c36d8283a9d5fec72eef275eebefa402a95022f9d4e138d05505
SHA512 da764305a1d7f235ffe537cf7aba134e594642e91284f09c1175989695d88074ea552b9fc24984fbac4fadd3a6ddfae81d944ad2831ace681f057b2216e81a50

memory/1972-40-0x0000000002100000-0x000000000214E000-memory.dmp

memory/1972-41-0x0000000004720000-0x0000000004738000-memory.dmp

memory/1972-42-0x0000000004890000-0x00000000048A0000-memory.dmp

memory/1972-43-0x0000000004A00000-0x0000000004A40000-memory.dmp

\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1676-53-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/1876-57-0x0000000074410000-0x0000000074AFE000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 bb7587bc00eae73d52e54ae833611a42
SHA1 81c8209e3addaf19999189781f11e6fa411c7832
SHA256 e23fcab62e0b89705127d703333b9e5420c242aa48cc2037915c62764fdac452
SHA512 5dd10166a4f8f03b615742389c173e8c756b656f57a38a6cd024c6acb2e781de11c2c1141eca5574e367506aab1fe10f44a6da08e9f0b114e1213f717935e904

memory/1508-60-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1972-59-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1676-56-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1676-54-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2612-63-0x00000000047D0000-0x0000000004810000-memory.dmp

memory/2612-62-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2788-65-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_ca3b5495a0294735a710f7cfa066ad39.dat

MD5 6af096be7aa74c8bf3c10abb1f186edd
SHA1 469c8fc04e8e2227a50ca0176f0537147c5a0f92
SHA256 8f58bc7d19de978cb1cd5072a95038caaa3985e8a6969351dd4c99a4c9de5e27
SHA512 6158a31db46e47eb6ee6ab5d4cce4cbe44bb44c4809ce13fff22ea5a3a44e01ef29333191c97549af24e105d29539f5f984f6dff1ed260ea030bdca3a9bd09e9

memory/2612-68-0x00000000047D0000-0x0000000004810000-memory.dmp

memory/1508-69-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1876-70-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2612-71-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2612-72-0x00000000047D0000-0x0000000004810000-memory.dmp

memory/2612-73-0x00000000047D0000-0x0000000004810000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 01:14

Reported

2024-01-08 01:16

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2888 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2888 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2888 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2888 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 336 wrote to memory of 4700 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 336 wrote to memory of 4700 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 336 wrote to memory of 4700 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe

"C:\Users\Admin\AppData\Local\Temp\c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 336 "/protectFile"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 336 /protectFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.1.72:6969 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
N/A 192.168.1.72:6969 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
N/A 192.168.1.72:6969 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
N/A 192.168.1.72:6969 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 192.168.1.72:6969 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp
N/A 192.168.1.72:6969 tcp

Files

memory/2888-0-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2888-2-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/2888-1-0x0000000000430000-0x000000000051C000-memory.dmp

memory/2888-4-0x0000000004EB0000-0x0000000004F0C000-memory.dmp

memory/2888-5-0x0000000005640000-0x0000000005BE4000-memory.dmp

memory/2888-6-0x0000000005090000-0x0000000005122000-memory.dmp

memory/2888-7-0x0000000005530000-0x0000000005542000-memory.dmp

memory/2888-8-0x0000000005540000-0x0000000005548000-memory.dmp

memory/2888-9-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/2888-10-0x0000000006210000-0x0000000006828000-memory.dmp

memory/2888-11-0x0000000005C50000-0x0000000005C62000-memory.dmp

memory/2888-13-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

memory/2888-12-0x0000000005CB0000-0x0000000005CEC000-memory.dmp

memory/2888-3-0x0000000002900000-0x000000000290E000-memory.dmp

memory/2888-14-0x0000000005E70000-0x0000000005F7A000-memory.dmp

memory/2888-16-0x0000000006830000-0x0000000006852000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4288-30-0x00000000005F0000-0x00000000005FC000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/4288-31-0x00007FFDF68A0000-0x00007FFDF7361000-memory.dmp

memory/4288-33-0x000000001B250000-0x000000001B260000-memory.dmp

memory/4288-34-0x0000000002810000-0x000000000284C000-memory.dmp

memory/4288-32-0x0000000000EF0000-0x0000000000F02000-memory.dmp

memory/5052-40-0x00007FFDF68A0000-0x00007FFDF7361000-memory.dmp

memory/5052-41-0x000000001A910000-0x000000001AA1A000-memory.dmp

memory/4288-38-0x00007FFDF68A0000-0x00007FFDF7361000-memory.dmp

memory/2888-56-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/336-57-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/336-59-0x0000000005530000-0x0000000005542000-memory.dmp

memory/336-58-0x0000000005540000-0x0000000005550000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 7e14fa466ec9ea400f20d315279508b9
SHA1 f0514875d9e2af46df51e98c1ad898c64060855d
SHA256 afd8b75c7647f1a45facb5543f267cc8d65637df737195c7d03dc6aa43120966
SHA512 d0d3dbe90942feb26224d541d56c5908bc7444c33922be427f2c461cd79d970f66ae316dbd105a7f03e91ce901baa8dc5173846e2e57dd34aee56a81738dc729

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 c3f16e80cb3c7b20c14c064c1ac20624
SHA1 7194d3629f5e9fc2c013f73cbe85eb8aad973ec2
SHA256 2c6f029f337c23e6c734f73c25066a0c87648f5238dff1672cf6d6c2554c3b54
SHA512 dd59670b9a5cab2777520a6ae2a72982405ab83fbc1f07c08e04493802ae9e96963d94c381e305d4daae6965fed2916307268eb7d3b44b8f8ada3ac510323ddb

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 a0decbd51409661af3af2f36a4589674
SHA1 8cb50b1f1ad7618c60fbd0cd99e188259ae31e07
SHA256 1452827860c20f7a3d070176e7f665d1b536a2ccb287236995dea3e1db98ca72
SHA512 40fa2d6d2e102ca04eb923c0ac00da9d4783594abc2f5702096f13f7063efa8577c33cfc5b384245af6006c5bbaf4f285b75df4887cdac4bea3a56c80f14960d

memory/336-63-0x00000000066B0000-0x00000000066C8000-memory.dmp

memory/336-62-0x0000000006640000-0x000000000668E000-memory.dmp

memory/336-66-0x0000000007160000-0x0000000007170000-memory.dmp

memory/336-65-0x0000000007320000-0x00000000074E2000-memory.dmp

memory/336-67-0x00000000072C0000-0x00000000072CA000-memory.dmp

memory/4700-81-0x0000000000840000-0x0000000000848000-memory.dmp

memory/4700-82-0x0000000074BE0000-0x0000000075390000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/2460-87-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/4700-86-0x0000000074BE0000-0x0000000075390000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/336-64-0x0000000006F90000-0x0000000006FA8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_ca3b5495a0294735a710f7cfa066ad39.dat

MD5 cee12f6c3669e5dd8e61a1e38f7c559d
SHA1 90ab3c061ed102dc37553289ace90bd7fb61538c
SHA256 25f93290ff23cc17670d7794abefece293041fc0972b56b8bf56c0e7c8f542fd
SHA512 c011e4c6f877e80ce2cc182f985cb919e513968931a5a322f50572be660bd1c31ca15f1941875c1eebb2d7de7976a4911ade8f014b95be9b8fb6b8d66f21e1d6

memory/5052-88-0x00007FFDF68A0000-0x00007FFDF7361000-memory.dmp

memory/5052-89-0x0000000019B80000-0x0000000019B90000-memory.dmp

memory/336-90-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2460-91-0x0000000074BE0000-0x0000000075390000-memory.dmp