Malware Analysis Report

2025-01-22 15:05

Sample ID 240208-tdsqksfe6w
Target BlitzedGrabberX96.rar
SHA256 471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9
Tags
orcus agilenet persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9

Threat Level: Known bad

The file BlitzedGrabberX96.rar was found to be: Known bad.

Malicious Activity Summary

orcus agilenet persistence rat spyware stealer

Orcus

Orcus main payload

Orcurs Rat Executable

Obfuscated with Agile.Net obfuscator

Drops startup file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 15:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 15:56

Reported

2024-02-08 15:59

Platform

win7-20231129-en

Max time kernel

44s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\UltraEmbeddable.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\UltraEmbeddable.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\UltraEmbeddable.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 552

Network

N/A

Files

memory/2928-0-0x00000000008F0000-0x000000000096A000-memory.dmp

memory/2928-1-0x0000000074290000-0x000000007497E000-memory.dmp

memory/2928-2-0x0000000074290000-0x000000007497E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 15:56

Reported

2024-02-08 15:59

Platform

win10v2004-20231215-en

Max time kernel

54s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\UltraEmbeddable.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\UltraEmbeddable.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\UltraEmbeddable.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 872

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp

Files

memory/228-0-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/228-1-0x0000000000090000-0x000000000010A000-memory.dmp

memory/228-2-0x00000000747C0000-0x0000000074F70000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-08 15:56

Reported

2024-02-08 15:59

Platform

win7-20231215-en

Max time kernel

34s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\leaf.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\leaf.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe"

Network

N/A

Files

memory/1700-0-0x00000000000F0000-0x00000000000FC000-memory.dmp

memory/1700-3-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/1700-4-0x000000001A6B0000-0x000000001A730000-memory.dmp

memory/1700-5-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

memory/1700-6-0x000000001A6B0000-0x000000001A730000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-08 15:56

Reported

2024-02-08 15:59

Platform

win10v2004-20231215-en

Max time kernel

67s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\leaf.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\leaf.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\Bin\leaf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp

Files

memory/4636-0-0x0000000000F70000-0x0000000000F7C000-memory.dmp

memory/4636-3-0x00007FFBDA8D0000-0x00007FFBDB391000-memory.dmp

memory/4636-4-0x00000000017C0000-0x00000000017D0000-memory.dmp

memory/4636-5-0x00007FFBDA8D0000-0x00007FFBDB391000-memory.dmp

memory/4636-6-0x00000000017C0000-0x00000000017D0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-08 15:56

Reported

2024-02-08 15:59

Platform

win7-20231215-en

Max time kernel

33s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\chromedriver.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\chromedriver.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\BlitzedGrabberX96\APIFOR.DLL C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 840 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 840 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 840 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 840 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 840 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 840 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 840 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
PID 840 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
PID 840 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
PID 2360 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
PID 840 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
PID 840 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
PID 3028 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\chromedriver.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3028 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\chromedriver.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3028 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\chromedriver.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2576 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2576 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2576 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3028 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\chromedriver.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3028 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\chromedriver.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3028 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\chromedriver.exe C:\Windows\SysWOW64\WindowsInput.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE

"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File poo.ps1

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n5u5jwtw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCE09.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\ProgramData\Chrome\Plugins\chromedriver.exe

"C:\ProgramData\Chrome\Plugins\chromedriver.exe"

Network

N/A

Files

memory/840-0-0x0000000000980000-0x0000000000E1A000-memory.dmp

memory/840-1-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/840-2-0x000000001B5E0000-0x000000001B660000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

MD5 46d8dfadf7f9d90385ab7df71b5adce3
SHA1 99482121b86c790a6f2d732b0a47a1e41922518f
SHA256 7fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c
SHA512 2e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5

\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE

MD5 69bef95f8029651ff546b59544d3d6cd
SHA1 a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9
SHA256 0cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac
SHA512 b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e

\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

MD5 45127aab7927fbe1961b9591b22846e1
SHA1 576e2ddea98ed854407070ccbd066ca6d1b86808
SHA256 f0dc6b421e5924ab16c088930440ba67fcc13ff3d8f036a310465ffe752a0a3b
SHA512 ce557e821b6148fe4b71c9dcbe24802e9f1d44ea9e3fc2939dadf31eb0749b3da2b5b4fe16ba03beeea79a16bc6d8f906ba92649a965edcfd081afe78dd4ec3e

\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

MD5 9b45f7cc824e5837d516748dfc1500f5
SHA1 4a762177f02a2af5b37e9185129c22ed3377634f
SHA256 dec1d85d19343b6526511288405f1a36ba120fcfff89c5e385ee1a8ee39cc536
SHA512 973aa196fee0f7c8d603031135466dae46a75ea63e14c2b5941c2edd779f7e3cd11423dc6b7f2cd5bbcbf7380b51164dadeefb4e3842b92a55d163f193041534

memory/2764-23-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

memory/2764-24-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

memory/2764-25-0x00000000023E0000-0x00000000023E8000-memory.dmp

memory/2764-26-0x0000000002860000-0x00000000028E0000-memory.dmp

memory/2764-27-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

memory/2764-28-0x0000000002860000-0x00000000028E0000-memory.dmp

memory/2764-29-0x0000000002860000-0x00000000028E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\poo.ps1

MD5 5d792fc7c4e2fd3eb595fce4883dcb2d
SHA1 ee2a88f769ad746f119e144bd06832cb55ef1e0f
SHA256 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb
SHA512 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

memory/2764-31-0x0000000002860000-0x00000000028E0000-memory.dmp

memory/2764-32-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

MD5 8852a909c0869ff0d30eaeabf26c31a3
SHA1 dd1c42f06ea2d4c90e39029cee249db45f08cc52
SHA256 f80d363ec77935189502cd7dcd7be691b6470dbafd458bdef4d4f3be50382a9e
SHA512 0fbe1e18360e0766e4042f4ecc5381ba7f8dfeee98eb4487385232766729c1090e2c1cd2d6b05c31a0f0244e0c1c1e636f8de26ac027d95e629a8970370fd0db

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

MD5 c1467138c0c59c1207855f2f878764c3
SHA1 ed43c05e9f92d0975661a902b2defdc58f6c2dd2
SHA256 56dd96fbdf2fabdc94b30f1e39ad3e53b90ffa4cc6447547d7de21c755e7f692
SHA512 fead9430a269431585bffb9872b09964ec09e2383ffa6a9d582e65246b0c3c6859dac966568ff847cf9a6a7920ba0d6703a88139ecf552f90ee24e4fe8e73e65

memory/840-38-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/3028-39-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

memory/3028-40-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

memory/3028-41-0x0000000000A60000-0x0000000000ABC000-memory.dmp

memory/3028-42-0x0000000000290000-0x000000000029E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\n5u5jwtw.cmdline

MD5 661d55759d0a620cdd3a4737d9e2e184
SHA1 ae417b2497a60fb5fcea2eaf564117cacf81b7be
SHA256 4793154841fa7fa7ab32ba987c31771940ab023b41b6c2fa1c2dba6e9d661eab
SHA512 2debd6ae28791f8a255137a3a63fba52e9e739d1c475a2b721ca87a751c834d0f57a4b581f8ab01a800b0a21cdf6b52548578a2ffc2b5f4a5c79449830e6849e

\??\c:\Users\Admin\AppData\Local\Temp\n5u5jwtw.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

memory/2576-48-0x0000000000820000-0x00000000008A0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCCE09.tmp

MD5 106bd87ddb7711359b45adc53518a01e
SHA1 449e76eeb440818fe634ab10ca908f17946fdfde
SHA256 1a99653f302a489d7c5c96ebad9fe246a9d12978a9a8b047d3124d8ba2a8a4c9
SHA512 74eb73fae207e8ebd49a06de862e5cfd2d821017d3ff46ebbb811da43ce28843c813f3dbf8fcbd0df2700e586c38ffc8451936b1bd3538b0bfc1cf5909fc9dce

C:\Users\Admin\AppData\Local\Temp\RESCE0A.tmp

MD5 02e344c35b02f6787d8e4850dd7ed9d8
SHA1 928114a72e567d5f9636d4524c836d8cbbd2ebba
SHA256 0d29a290145e5c15914a03165ee02efeeeff13b40a7ae239f67508e2f0814603
SHA512 7a563d584a45ee767fad2024177e8a34d566d3a40e901764d77149da18aa0f699076d18a35f8c7dfd4ff45d5ab5c0baa077cf2f2fbd79c2142b0db693f737f6a

C:\Users\Admin\AppData\Local\Temp\n5u5jwtw.dll

MD5 b5c42f9ed169acff9f5f880f7c27655d
SHA1 b812cb32f5d1412d82d8ea59c5a65d7e22cafc05
SHA256 744d7bafefd7d2addf16e5bb76e4dfff335b1d692f4351bdc26cb73de2e053d6
SHA512 08fc21d9dcee611395e2d828529ae0a2f638874446623a581125df083169bde14c028129d44d8910d87f0f8a6bf796c012d1898f6da205b3c5bbfbd68d18720b

memory/3028-56-0x0000000000710000-0x0000000000726000-memory.dmp

memory/3028-58-0x0000000000440000-0x0000000000452000-memory.dmp

memory/3028-59-0x0000000000570000-0x0000000000578000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/1492-68-0x000007FEF1940000-0x000007FEF232C000-memory.dmp

memory/1492-67-0x0000000000290000-0x000000000029C000-memory.dmp

\Program Files\BlitzedGrabberX96\APIFOR.DLL

MD5 91b4d211faddb0ebc64fb000d75d96c1
SHA1 ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c
SHA256 e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de
SHA512 3f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919

memory/1492-75-0x000000001A6F0000-0x000000001A770000-memory.dmp

\Program Files\BlitzedGrabberX96\Bunifu_UI_v1.5.3.dll

MD5 e0ef2817ee5a7c8cd1eb837195768bd2
SHA1 426ea1e201c7d3dc3fadce976536edce4cd51bce
SHA256 76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930
SHA512 5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c

\Program Files\BlitzedGrabberX96\Guna.UI.dll

MD5 6d6a1f28978d42ad2f0a8f278eaac966
SHA1 b09168ec88109422ca29cf4f1b6462d51930873d
SHA256 fb23fa4fca8f28bebe7b7e39593a211cd3c3405de5f948ec520e859b1bcaf91e
SHA512 76ddf88255a9355fc3c781880e23d94206acca4decf5623712411f7a733e91ca9ea37944860401cf9667f10e8c33a087803a4726f91faff1f23e3e0592ddf41d

\Program Files\BlitzedGrabberX96\Guna.UI2.dll

MD5 0f07705bd42d86d77dab085c42775244
SHA1 7e4b5c367183f4753a8d610e353c458c3def3888
SHA256 cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

\Program Files\BlitzedGrabberX96\Kyanite.exe

MD5 7cebe29a86c8bad15bbf7f190ae9c012
SHA1 a035287675af874872753aa813c2e17f712e2ff5
SHA256 808226fbf400593c702b5efe774290f0d2787d2a3fb25d0359cb3ca72a9b2b44
SHA512 add343a62e77af49870386a3d5f8976ab53bdc2b2d7820ce735238db806b95e06e111a99114b8ea5c0dd74ee38a58466a79255705c3b3b0a7746eea4beabedbe

\Program Files\BlitzedGrabberX96\Login Theme.dll

MD5 34b9583b485e101ebbd9fd100699eab0
SHA1 63a8ed0e336f7ade8664c8ecff81eb473f9d4d05
SHA256 8879dcfb480f0b3c47414eef8ec50d57f13c6c0895644000b17a38e465896d7a
SHA512 467dea806fb1746a8eae12cf2d7cc7029a0a237790904c49fe22d809cfc582a81537bd6cb4c0fe1a34bce259bf20609924a0cc62b5335ed6d279ee26c1baa30e

memory/3028-111-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

\Program Files\BlitzedGrabberX96\Siticone.UI.dll

MD5 ea797152ded4478107c08a9c9c28b454
SHA1 f28104d7099cca08ab84bf1ad1acb9233cbf116f
SHA256 c435f969a0150ec46e8f2414615e7cb1670322650fb632443ac9f0a146a98c14
SHA512 65d7a52243f46be4a5a4e82b0b5771be17efc7404411df9aaf95ecb4450699a5989fbed2f160b1ae917d04f6f3d71f172ad4bdaf238e37300780a781d13450ed

memory/1492-117-0x000007FEF1940000-0x000007FEF232C000-memory.dmp

memory/896-119-0x00000000002E0000-0x00000000002EC000-memory.dmp

memory/896-120-0x000007FEEDB10000-0x000007FEEE4FC000-memory.dmp

C:\ProgramData\Chrome\Plugins\chromedriver.exe

MD5 aa9d2640ec778b21412084b1b54abe7d
SHA1 00bce490735d41eb889dd4d27996e3ba93eb916c
SHA256 9b8821c06989f1522902fedee4915f25b31ee3125ba3973eff0718ad6885cb0b
SHA512 cb7de4503775f91000e95c3e67957d4bc4a9bd6f97c12b576827819fd2e4c8716bd4f501db27e32961901bfbcc80233a99345cd30016c2cf2598c521575f8ee1

C:\ProgramData\Chrome\Plugins\chromedriver.exe

MD5 fc078f4520ba18711aedb2cc5787e98b
SHA1 0faa983831edad9c55df47f48015a8be8b29fe2e
SHA256 a5a8ff66cfe064da6235a08e31226dd99c4d5b6038c1d4b310d621d27b6c7f1f
SHA512 9ee3dd1a7e29944677d5929d17597f390b1e7a3696bab6e6b81fac2dab2971febfeeb9eaf4cc2b4e4684173623922ede122216c19f89185888afca87f4f0d97b

C:\ProgramData\Chrome\Plugins\chromedriver.exe

MD5 ed76832e335324cde025123d2fff2ff4
SHA1 146ff5dced01b317f9a0588668c7caede69044ea
SHA256 caf66522099636d6da6f84d48f1a94e1fd49724ecf96fc0730909d9a24d257c1
SHA512 022800319c16f138cf8e869cfa35e755f9a64f20dad783043fec8e2766ec6edc297258961ecb253517dac7751220e73bfbe9ca6f5490567986ea430771207faf

memory/3028-130-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

memory/3008-131-0x0000000000CD0000-0x0000000000DBC000-memory.dmp

memory/3008-132-0x000007FEEDB10000-0x000007FEEE4FC000-memory.dmp

memory/3008-133-0x00000000003C0000-0x0000000000440000-memory.dmp

memory/896-134-0x000007FEEDB10000-0x000007FEEE4FC000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-08 15:56

Reported

2024-02-08 15:59

Platform

win10v2004-20231215-en

Max time kernel

56s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\chromedriver.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\chromedriver.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\chromedriver.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\chromedriver.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\chromedriver.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 1512 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 1512 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
PID 1512 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
PID 1512 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
PID 4920 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
PID 1512 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
PID 2788 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\chromedriver.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2788 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\chromedriver.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE

"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File poo.ps1

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0yenjbs.cmdline"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp

Files

memory/1512-0-0x00000000003B0000-0x000000000084A000-memory.dmp

memory/1512-1-0x00007FFBAC680000-0x00007FFBAD141000-memory.dmp

memory/1512-2-0x000000001B550000-0x000000001B560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

MD5 46d8dfadf7f9d90385ab7df71b5adce3
SHA1 99482121b86c790a6f2d732b0a47a1e41922518f
SHA256 7fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c
SHA512 2e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE

MD5 69bef95f8029651ff546b59544d3d6cd
SHA1 a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9
SHA256 0cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac
SHA512 b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e

memory/4332-26-0x00007FFBAC680000-0x00007FFBAD141000-memory.dmp

memory/4332-27-0x000001FA40C60000-0x000001FA40C70000-memory.dmp

memory/4332-28-0x000001FA40C60000-0x000001FA40C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icnly2bv.a0f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4332-37-0x000001FA5B470000-0x000001FA5B492000-memory.dmp

memory/4332-39-0x000001FA40C60000-0x000001FA40C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\poo.ps1

MD5 5d792fc7c4e2fd3eb595fce4883dcb2d
SHA1 ee2a88f769ad746f119e144bd06832cb55ef1e0f
SHA256 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb
SHA512 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

memory/4332-41-0x000001FA40C60000-0x000001FA40C70000-memory.dmp

memory/4332-44-0x00007FFBAC680000-0x00007FFBAD141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

MD5 04f2087176aa677018403cc8f973dc4a
SHA1 b7bf181e52f3bfe97938248a17656a0707d4c65b
SHA256 90e0882fbe6f041e91c620bf601847d04100e95e5076acbc83b2a38faf355755
SHA512 95b5e6f72f33d914d4bec80026f883b03f0edc7af14185b67b73e074c94a8b62ccc2ee742c768536b7fbfec0e7dbae579b73c69e0fa343dbd8ed0c8495931baa

memory/1512-53-0x00007FFBAC680000-0x00007FFBAD141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

MD5 d9347ebc4f5ad8db1401a18f8619e279
SHA1 1567a4da5dea19ef56e367993173084a8b9fd81a
SHA256 b096c0044b44b576b35765607869ef0e205a23b71c66bba3720e5a12580bb84d
SHA512 50c0f2906fe864657c35175314963a173bc274bd7076032e37c176a2678727f03499e3076a40a78cbdfe19280b9839af0c3fd045d6bb68bed09c309976d6df34

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

MD5 8ae8c0f6e3d956f14ce9a97cb04d08eb
SHA1 978a48363c63d76704f05c62f196e7c7260b88d1
SHA256 22eec05cc3e6f2e8a9d1eb33345db07830aac6c0c6699282efe7697aafbbee00
SHA512 120dce578d03c8822bd6e86172da26238f32a7c676774fb9f1354404ddb4712f09bfce63e10ee4990b33f6b7b3459bf7e5526aad05e522a56f13bb0d89f5dc99

memory/1512-58-0x00007FFBAC680000-0x00007FFBAD141000-memory.dmp

memory/2788-59-0x000000001B1A0000-0x000000001B1FC000-memory.dmp

memory/2788-62-0x000000001B390000-0x000000001B39E000-memory.dmp

memory/2788-63-0x000000001B870000-0x000000001BD3E000-memory.dmp

memory/2788-64-0x00007FFBA8990000-0x00007FFBA9331000-memory.dmp

memory/2788-65-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

memory/2788-66-0x000000001BDE0000-0x000000001BE7C000-memory.dmp

memory/2788-67-0x00007FFBA8990000-0x00007FFBA9331000-memory.dmp