Malware Analysis Report

2025-01-22 15:02

Sample ID 241206-bhbnraxqfm
Target b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34
SHA256 b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34

Threat Level: Known bad

The file b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus family

Orcus

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 01:08

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 01:08

Reported

2024-12-06 01:10

Platform

win7-20240903-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2336 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2336 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2812 wrote to memory of 2576 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2812 wrote to memory of 2576 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2812 wrote to memory of 2576 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2336 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe C:\Program Files\Orcus\Orcus.exe
PID 2336 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe C:\Program Files\Orcus\Orcus.exe
PID 2336 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe C:\Program Files\Orcus\Orcus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe

"C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nbnjzhw5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC30A2.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp

Files

memory/2336-0-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp

memory/2336-2-0x0000000000280000-0x000000000028E000-memory.dmp

memory/2336-1-0x0000000000DE0000-0x0000000000E3C000-memory.dmp

memory/2336-6-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

memory/2336-7-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\nbnjzhw5.cmdline

MD5 dd65770194e839b18cd6b97b0ca2c0fe
SHA1 f6711925936c2d152ae690355514a3e243975102
SHA256 8604c99b1de56ee40c1ea6b49dfcde63a3a09f75290321349180af1daf52a277
SHA512 4b708c1186598a4c25918b10d23f7babd63b92971451e207e101e1cbf322f570d629a1f1b2cb4fd7ceb2d28052c9a96a8c34ffd31d3d3f5e731ebe5283464d12

\??\c:\Users\Admin\AppData\Local\Temp\nbnjzhw5.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

memory/2812-10-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp

MD5 a5068b95dcd530ac6cb2a4addbb27811
SHA1 3cd613ed8ed1ae240401311350ad8175fea01866
SHA256 2d4445adc5fe9bd642e4bdd955dcabf028436b967c0a01f1b5ea1830b674c967
SHA512 5729a8b5e599de759b7304ec73c1500ba2dc9bc04351d35bcd9c0764f77fdbed4a7feaa195c8cff3b095147757ac55b6ea94a01fe0b6cdd1f0294dddc6069e19

\??\c:\Users\Admin\AppData\Local\Temp\CSC30A2.tmp

MD5 d614ec99b0041a0cb4450be04e39c36c
SHA1 b88ccfbf342764559c10f22847be0134aca9ea9f
SHA256 bd47e8d83802fbb1428e3e30779b2778eede6d77e6a1952d0bb3b8771ec219ba
SHA512 f978ad280af63312ec3c0084cc0b44c66630ec3c0edc92baa6f42977ae427099bf206dd335a2d8cfc37e70a406fffa2668d51f26f3e751e22772e2fc5d1c7dfb

C:\Users\Admin\AppData\Local\Temp\nbnjzhw5.dll

MD5 a0d9b4792230b203b81c5738229c097b
SHA1 d98aac221dbefa3c7299c9582a6446fcfda3cd35
SHA256 221feffbe9797f3c58f7e3c8e2ad12b67be9a49d833027ff2fb5cc24857476d9
SHA512 0b869941e411f3bafc66fb8b7f17eb6ccf773a6a1f188b562f05ce2173ebfacfc765e79a98aa1dd0dbcb7daeca1a6ffca0f48d7a7271c01559ec519546ee6a4c

memory/2336-19-0x0000000000E40000-0x0000000000E56000-memory.dmp

memory/2812-17-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

memory/2336-21-0x0000000000430000-0x0000000000442000-memory.dmp

memory/2336-22-0x0000000000610000-0x0000000000618000-memory.dmp

memory/2336-23-0x0000000000640000-0x0000000000648000-memory.dmp

memory/2336-24-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 3992adca438aa315a440553482496942
SHA1 3280796a667b1b14731ccf37656f02366237fb46
SHA256 b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34
SHA512 7433550582171fbd50eccf8ad0b0d8e71194b2157374429081738d709c15b843e1b8ccd856c2cdf9faaf589ba6b41a928c895a304a5f08e358ce97d7e001882b

memory/2336-32-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

memory/2336-33-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2620-35-0x0000000000B30000-0x0000000000C1A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_8b9d3646f7234d7ea3bb88796d93242f.dat

MD5 dcf2865f7046219f419ff0e9b2aeab10
SHA1 b32d87bbd2e600856d75d5d0ff7c856d0647555e
SHA256 70c3e74d2f6d9727b88ec50237ec4aca3aaf449a112a3f3b251937066be64d76
SHA512 e8dcbf309e6d707b0e734ae769bf2e64aeca2430bebfdc42449339a9e2e33a3bedab3b3a8add7c9630c0a98ff40e521aceecd2c33f782a0ac1e2676591571616

memory/2620-38-0x0000000002120000-0x0000000002138000-memory.dmp

memory/2620-39-0x0000000002150000-0x0000000002160000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 01:08

Reported

2024-12-06 01:10

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe

"C:\Users\Admin\AppData\Local\Temp\b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8hsb7hif.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8657.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8656.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.31.232:3941 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 192.168.31.232:3941 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 192.168.31.232:3941 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp
N/A 192.168.31.232:3941 tcp

Files

memory/3896-0-0x00007FFB85615000-0x00007FFB85616000-memory.dmp

memory/3896-1-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

memory/3896-2-0x000000001B360000-0x000000001B3BC000-memory.dmp

memory/3896-3-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

memory/3896-6-0x000000001B410000-0x000000001B41E000-memory.dmp

memory/3896-7-0x000000001BA70000-0x000000001BF3E000-memory.dmp

memory/3896-8-0x000000001BFE0000-0x000000001C07C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\8hsb7hif.cmdline

MD5 53e2b347dff604efec2daa19c9e67099
SHA1 074bc99a72d1fed72c99f12895892aa03f2cb35b
SHA256 0639f9e49f24714f541a2e915d479e17681fa0b793bb6f76b37a3eece8e0aaa2
SHA512 fb09dfb2e85bd9768f0a865019660e058aff98fb832458f464f06f43dc303e7497d6f672c5f6ffeb9a29cab0021f968cc161a31224d4023396609f6dc38cfded

\??\c:\Users\Admin\AppData\Local\Temp\8hsb7hif.0.cs

MD5 a400e6e03516e2b97b425c3144f068de
SHA1 b08e7e42da2ac93650a7446bc0ad0c7b59d76933
SHA256 0c983a77ecb0fe45796340471c4383ebb9a191987b1d33588d6ddf25b1e40e6b
SHA512 f9c87145272fe84083e5bfc4e26e65802e357dec00d85af49e7034eaa97b15bfb7dd0577693c15e176ab5e38533e7d3730320c2f1e3818214f1ec8d36e27c4c8

memory/4020-16-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC8656.tmp

MD5 efe823497db1eaa647fbcf109c563f49
SHA1 86be3f406554e13e0c86a586498902b99bc64068
SHA256 97f58f9854b98322781b94540e4c01ff862554de7538fa25f5d88c1ef4ea6b13
SHA512 89cbf1827f7e8d0d2959dd19151e7a5a01419d915ae25d23de162e497262b6860d88c54c21537cc3220335e88f537a15907098db093d25deaa32fc7f57f33930

C:\Users\Admin\AppData\Local\Temp\RES8657.tmp

MD5 1f9acedd9ea3c4536c4a061f0f2438af
SHA1 b291c18e7976690de992be2d3dba27b31068bbd6
SHA256 7f0e31d3a914520b30aa81b1603dc75257dfbd943e786a268b5a7ad9ed0d3cef
SHA512 4d2b5966bebc7b1b59f739264d1d93008ab00c2d3bd1cf783a719932f2f39026b35b06dc8a6759766f301398b6e790cbd3e8b59a332482d1fdd971094effef0b

memory/4020-21-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

memory/3896-23-0x000000001C620000-0x000000001C636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8hsb7hif.dll

MD5 ca68a6113dec7658772f7394c2b2fdb8
SHA1 00c1cadaeba199c9daa269a14675eb969ec7d3f3
SHA256 c8ddba48de20387d3b209ebfc9eb600c6502b425f3f67759dcb0f67362127eb7
SHA512 50a2469667519136d8dab389840ab4e3322853c0437e0e5aba5fd0a47bab2cb37877ca5983908023ea59ad43ed8d5c8a2c9060304571d233df14651832387875

memory/3896-27-0x000000001B300000-0x000000001B308000-memory.dmp

memory/3896-26-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/3896-25-0x000000001B270000-0x000000001B282000-memory.dmp

memory/3896-28-0x000000001CA10000-0x000000001CA72000-memory.dmp

memory/3896-29-0x000000001D370000-0x000000001D92A000-memory.dmp

memory/3896-30-0x000000001D930000-0x000000001DA20000-memory.dmp

memory/3896-31-0x000000001CB70000-0x000000001CB8E000-memory.dmp

memory/3896-32-0x000000001DA30000-0x000000001DA79000-memory.dmp

memory/3896-33-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

memory/3896-34-0x000000001DB10000-0x000000001DB80000-memory.dmp

memory/3896-35-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 3992adca438aa315a440553482496942
SHA1 3280796a667b1b14731ccf37656f02366237fb46
SHA256 b8ec53038837781ba7037514d04e4c8075489185dcb967a4e296aec35c62ef34
SHA512 7433550582171fbd50eccf8ad0b0d8e71194b2157374429081738d709c15b843e1b8ccd856c2cdf9faaf589ba6b41a928c895a304a5f08e358ce97d7e001882b

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/1924-50-0x00007FFB82253000-0x00007FFB82255000-memory.dmp

memory/3896-52-0x00007FFB85360000-0x00007FFB85D01000-memory.dmp

memory/1924-53-0x0000000000FC0000-0x00000000010AA000-memory.dmp

memory/1924-54-0x000000001BC00000-0x000000001BC12000-memory.dmp

memory/1924-55-0x000000001BC40000-0x000000001BC52000-memory.dmp

memory/1924-56-0x000000001C100000-0x000000001C13C000-memory.dmp

memory/1924-57-0x000000001C250000-0x000000001C35A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_8b9d3646f7234d7ea3bb88796d93242f.dat

MD5 10d77f36a787132344561b44771676d3
SHA1 9a42c59cd4c8998f84efcb9a20b1c2110527e23b
SHA256 3fa797f28e4d7c255cae0fa840876cad47ec9a8c659e5497b423fe168d6171c8
SHA512 1542963090c952fe017f79477172a676e91fd8a0d28cb77b9fabdaea4a0ecef28ebcb4712c35f5c691a823f63bb787ac2b8e1f4ee0e564155c385bdb755df55c

memory/1924-60-0x000000001BD90000-0x000000001BDA8000-memory.dmp

memory/1924-61-0x000000001BC70000-0x000000001BC80000-memory.dmp

memory/1924-62-0x00007FFB82253000-0x00007FFB82255000-memory.dmp