Malware Analysis Report

2025-01-22 15:11

Sample ID 240218-bglsbscb71
Target 15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28
SHA256 15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28

Threat Level: Known bad

The file 15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28 was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcus family

Orcus main payload

Orcus

Orcurs Rat Executable

Orcurs Rat Executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-18 01:07

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-18 01:06

Reported

2024-02-18 01:09

Platform

win7-20231215-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2852 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2852 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2180 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2852 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Program Files\Orcus\Orcus.exe
PID 2852 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Program Files\Orcus\Orcus.exe
PID 2852 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Program Files\Orcus\Orcus.exe
PID 956 wrote to memory of 2936 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 956 wrote to memory of 2936 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 956 wrote to memory of 2936 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2668 wrote to memory of 2972 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2668 wrote to memory of 2972 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2668 wrote to memory of 2972 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2668 wrote to memory of 2972 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe

"C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4reobali.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES258B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC258A.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {91544963-9EB4-469E-A2A5-312F2456B9E3} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2668 /protectFile

C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2668 "/protectFile"

Network

Country Destination Domain Proto
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp

Files

memory/2852-0-0x000000001B000000-0x000000001B05C000-memory.dmp

memory/2852-1-0x0000000000A40000-0x0000000000A4E000-memory.dmp

memory/2852-2-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2852-3-0x00000000008B0000-0x0000000000930000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4reobali.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

memory/2852-8-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4reobali.cmdline

MD5 da88d1b4919a7b8f1ef4db3fe479c1e8
SHA1 eba8cbc52e9ba783778d13cd8a03cf4f8845cdf4
SHA256 875814ed0af9d63b8754539ec62917992d1c51b645c34273ea263198b3a1359d
SHA512 5dd9cb51834e6d31f5088536b2af156ebf302b02e1705b1f90287fabec59d02c65813b7aac3b76285bf48200e362db51f67129d8f29686161a3c57df00b6ebf1

C:\Users\Admin\AppData\Local\Temp\RES258B.tmp

MD5 86e5c586657e5579f45d30d02be151d9
SHA1 8e2586905768e741dc442e16de146496916d7f53
SHA256 b38c2bf84f7f2bb930eada00a0af417cf42c33ea55a6c68fda675a0088155e60
SHA512 dda0351f6cc6d6c80159f8c81d1d5147cd67b5bee8fd9de794333c061505f59b068d9881a72a3ed724087b5244123a9ae01067d8848d31e4c00186bd5fe6bf13

\??\c:\Users\Admin\AppData\Local\Temp\CSC258A.tmp

MD5 9ead49163cec761f3bb4c6a06b837caf
SHA1 8463db9475cc26824fd2ed1879636e183786fa48
SHA256 0815b7d4fd8feb1e9839d4406d1be78e311831a219bbfbcffa545914189de13c
SHA512 54caca8c9c577221cfb5661f974e0685b91a8fc3b366c684407a724ea5ad5d07c4d2cf747de7b2bee18253661c55c168642a15a1b342ea559276c63336813719

memory/2852-17-0x000000001ACB0000-0x000000001ACC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4reobali.dll

MD5 5591009924de230680fe64e75a5b0359
SHA1 ead1a2eee401245afabe5f407f49c79eaef8d5b4
SHA256 847aca5d6326fcac89e40a27d43d0b79049413bd4489fb90bbe47be96748f972
SHA512 31fbe36ed8c3da288e369978519618c069fa8a65b8d0cfe287f66adf40cf0e7364343659da0ae13598aa3c75232ea4cefb3778dfc2b4d01d5ee5388f7f8d3793

memory/2852-19-0x0000000000A70000-0x0000000000A82000-memory.dmp

memory/2852-20-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

memory/2852-21-0x0000000000C00000-0x0000000000C08000-memory.dmp

memory/2852-22-0x00000000008B0000-0x0000000000930000-memory.dmp

memory/2852-28-0x00000000008B0000-0x0000000000930000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 8d843bec1b2fa4692a5a5824fb8b4700
SHA1 6c15b776c8187a1eaf084ddcbb1721ef38bd56af
SHA256 15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28
SHA512 f27f139ce03c9653134a9bb0de00d6caaad5c829e69e2d069f801935f52a377cd0475863816c9d0dbf6091608f1d4a916729277abd0ff57b61d2f57e30cf1052

memory/2852-32-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2668-34-0x0000000000B90000-0x0000000000C7C000-memory.dmp

memory/2668-35-0x000007FEED990000-0x000007FEEE37C000-memory.dmp

memory/2668-36-0x000000001B0C0000-0x000000001B140000-memory.dmp

memory/2668-37-0x0000000000480000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_c9fed2adfe5c487bb1b27e0925228432.dat

MD5 a83b9b2142d502d55c130aceb640fbe4
SHA1 bf215d49981447f7873862fa5d7f2de28171f3fe
SHA256 f7301ea52c1b9b59825177b7b6455cd05cdea909179c0f12a6934397aba9a9b5
SHA512 35c15d74a42d1529a35ac04fd938f77d180be8b967a8a6d79293ea9a02c7597d3bca52891698059ac46344305ca207aa80d4ec3e3d539a54386c1b0470b0d403

memory/2668-40-0x0000000000AD0000-0x0000000000B1E000-memory.dmp

memory/2668-41-0x0000000000B70000-0x0000000000B88000-memory.dmp

memory/2668-42-0x0000000002220000-0x0000000002230000-memory.dmp

memory/2668-43-0x000000001B0C0000-0x000000001B140000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 be03d8a8e78446a54f706b52e621f099
SHA1 ad0b6f736e4fc068d60cdf9f9aed5a832ad90b59
SHA256 eb45847e228e798c164e6ce552770da6a41d93d86a6d5d393e86d46ae7e4eb3a
SHA512 030f3efa8ea3323fdb9638a2108f76d4a8f448f9d645d76a5568e1b47a9aace8e00400ddc3621154331e9abaac87d6ac1187f214c72c1c29cb55646720f236eb

C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2936-52-0x000007FEED990000-0x000007FEEE37C000-memory.dmp

memory/2972-55-0x0000000001000000-0x0000000001008000-memory.dmp

memory/2936-54-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/2972-56-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/2972-59-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/1556-60-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/2936-61-0x000007FEED990000-0x000007FEEE37C000-memory.dmp

memory/2668-62-0x000007FEED990000-0x000007FEEE37C000-memory.dmp

memory/2668-63-0x000000001B0C0000-0x000000001B140000-memory.dmp

memory/2668-64-0x000000001B0C0000-0x000000001B140000-memory.dmp

memory/1556-65-0x00000000749E0000-0x00000000750CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-18 01:06

Reported

2024-02-18 01:09

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Program Files\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2244 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3728 wrote to memory of 900 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3728 wrote to memory of 900 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2244 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Program Files\Orcus\Orcus.exe
PID 2244 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe C:\Program Files\Orcus\Orcus.exe
PID 4812 wrote to memory of 2304 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 4812 wrote to memory of 2304 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 4812 wrote to memory of 2304 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2304 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2304 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe
PID 2304 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe

"C:\Users\Admin\AppData\Local\Temp\15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vyoprgvu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2F8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA2F7.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 4812 /protectFile

C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 4812 "/protectFile"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
N/A 127.0.0.1:4444 tcp

Files

memory/2244-0-0x00007FF998440000-0x00007FF998DE1000-memory.dmp

memory/2244-1-0x0000000000E80000-0x0000000000E90000-memory.dmp

memory/2244-3-0x00007FF998440000-0x00007FF998DE1000-memory.dmp

memory/2244-2-0x000000001B620000-0x000000001B67C000-memory.dmp

memory/2244-6-0x000000001B800000-0x000000001B80E000-memory.dmp

memory/2244-7-0x000000001BCF0000-0x000000001C1BE000-memory.dmp

memory/2244-8-0x000000001C260000-0x000000001C2FC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vyoprgvu.cmdline

MD5 696a4012b2b78c63994be1e7adc15d0b
SHA1 7836d8281162b436a7840daa872551bc78c21ada
SHA256 69591a50e3dbc4b025219a787e06173c9c5d848c8475b13f04394bfe8b239ef4
SHA512 96628ab94d49363d61d412656bc07271771fe0e1846b4e57b36cb18d383f77b47013491997cfe82c4ad3991ee481b368bc178a2608c3552870397a1b829d65fc

\??\c:\Users\Admin\AppData\Local\Temp\vyoprgvu.0.cs

MD5 578613b57a645e4c2a954629f8dc9e00
SHA1 509d492220a11070a7c6e296bdb74cc26777eca2
SHA256 7dbd6af63b364abaa6d12025645c8ce4b8ad42de1293159dcfff737e0151494b
SHA512 66e17e039ae8e07094b3321886dc05a1375cbc32ce3e30c4b7ffc85a8aaef22b79144a9830755b426627fa8c6a66f2ee5600eadd4e5e7e21bd897c8e94016200

memory/3728-14-0x0000000000B70000-0x0000000000B80000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCA2F7.tmp

MD5 e7bc7ba8c545b35f91f24719448c3096
SHA1 906e7b3dbec8be07257f3673f3c09f06c11f3dcc
SHA256 32faab60b257b33ebfe4192cee3dc25a9ed834d5c2988f3be40716c4b7793987
SHA512 26ad3953d9d5c517bfc33a0d074a9d2f27387fac80bb12810154534a065f3561f558c784f500d088c2ac9ebd1ab3a20401af23c7121d6216edd70281b6c46256

C:\Users\Admin\AppData\Local\Temp\RESA2F8.tmp

MD5 61ee339cf8adde76c7fc4b867a9e22db
SHA1 11b55f5bea38a7f762f6a88e0d3b5366a8643603
SHA256 b9d39f34897277fa957eeacb4d3246612dffc010cf074bb6f3677b9f7b3fe18b
SHA512 69d0be83583357a19d27777cb2d115d2a013756fe2289f3abf012f56392cdbd39556908365171c2e9cb8f2c282d97a45f465e3b09006cd27e013cb5c4f16a4fb

memory/2244-22-0x000000001C730000-0x000000001C746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vyoprgvu.dll

MD5 5670406de742f3ba80d0e251627709eb
SHA1 df121809ef21b109b19b058883eeaad677dd9562
SHA256 671e649be6a2230bb2731fe0736a81f7ab4097ef391f6b2a48e083b408e8cd7b
SHA512 4097d409fa5028772fce2e8fb015245995717eec7e53aecae098043b98d777ba569426da4ee2d084622e40845b97b138abfd7ce3b897c5d9a3adfd188f1b6bcb

memory/2244-24-0x00000000010B0000-0x00000000010C2000-memory.dmp

memory/2244-25-0x0000000001030000-0x0000000001038000-memory.dmp

memory/2244-26-0x000000001B610000-0x000000001B618000-memory.dmp

memory/2244-27-0x000000001CD10000-0x000000001CD72000-memory.dmp

memory/2244-28-0x000000001D670000-0x000000001DC2A000-memory.dmp

memory/2244-29-0x000000001DC30000-0x000000001DD20000-memory.dmp

memory/2244-30-0x000000001CE70000-0x000000001CE8E000-memory.dmp

memory/2244-31-0x000000001DD30000-0x000000001DD79000-memory.dmp

memory/2244-32-0x0000000000E80000-0x0000000000E90000-memory.dmp

memory/2244-33-0x000000001DE10000-0x000000001DE80000-memory.dmp

memory/2244-34-0x0000000000E80000-0x0000000000E90000-memory.dmp

memory/2244-41-0x00007FF998440000-0x00007FF998DE1000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 8d843bec1b2fa4692a5a5824fb8b4700
SHA1 6c15b776c8187a1eaf084ddcbb1721ef38bd56af
SHA256 15fa29093e6053281eaed8642880975a1ae649c55285593c0fe2385fa2202e28
SHA512 f27f139ce03c9653134a9bb0de00d6caaad5c829e69e2d069f801935f52a377cd0475863816c9d0dbf6091608f1d4a916729277abd0ff57b61d2f57e30cf1052

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2244-52-0x0000000000E80000-0x0000000000E90000-memory.dmp

memory/4812-54-0x0000000000570000-0x000000000065C000-memory.dmp

memory/2244-53-0x00007FF998440000-0x00007FF998DE1000-memory.dmp

memory/4812-55-0x00007FF9955D0000-0x00007FF996091000-memory.dmp

memory/4812-56-0x000000001B2F0000-0x000000001B300000-memory.dmp

memory/4812-57-0x0000000002770000-0x0000000002782000-memory.dmp

memory/4812-58-0x000000001B200000-0x000000001B212000-memory.dmp

memory/4812-59-0x000000001B280000-0x000000001B2BC000-memory.dmp

memory/4812-60-0x000000001B810000-0x000000001B91A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_c9fed2adfe5c487bb1b27e0925228432.dat

MD5 c00e81093a3cb3c636161b2e2feda3d4
SHA1 ea2a38b02a802587dc9961de5a24e9219ebd9296
SHA256 508b5f4200f5773a1344e24042d55f376aeb48067f2e22a0288f11a298447658
SHA512 0ba081cb0e638eeaf63e9da8454db4ed64ffe0cc9e34cffcd7dfe53feaa1751b5a4b43cc2e7a0ae9a6d637d640fe34d586c17035f4f42f092f84507fe3f66c44

memory/4812-63-0x000000001BA20000-0x000000001BA6E000-memory.dmp

memory/4812-65-0x000000001BBB0000-0x000000001BBC8000-memory.dmp

memory/3860-66-0x00007FF9955D0000-0x00007FF996091000-memory.dmp

memory/4812-67-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/3860-68-0x000000001B430000-0x000000001B440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2304-83-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/2304-82-0x00000000007F0000-0x00000000007F8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/2304-87-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/1624-88-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3860-90-0x00007FF9955D0000-0x00007FF996091000-memory.dmp

memory/4812-91-0x00007FF9955D0000-0x00007FF996091000-memory.dmp

memory/4812-92-0x000000001B2F0000-0x000000001B300000-memory.dmp

memory/1624-93-0x00000000743E0000-0x0000000074B90000-memory.dmp