Malware Analysis Report

2025-03-15 06:47

Sample ID 250117-tyaqhawkf1
Target nigger.exe
SHA256 51fc8dc03eca49528064dc469aafa0d1df10bd5a48a22896dfc4c5cc5f8899a5
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51fc8dc03eca49528064dc469aafa0d1df10bd5a48a22896dfc4c5cc5f8899a5

Threat Level: Known bad

The file nigger.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus

Orcus family

Orcurs Rat Executable

Orcus main payload

Orcurs Rat Executable

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-17 16:27

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-17 16:27

Reported

2025-01-17 16:30

Platform

win10ltsc2021-20250113-en

Max time kernel

131s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nigger.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nigger.exe

"C:\Users\Admin\AppData\Local\Temp\nigger.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kzxjfo0u.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES735C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC735B.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.126.37.18:16912 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 18.37.126.3.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/828-0-0x00007FFFA7175000-0x00007FFFA7176000-memory.dmp

memory/828-1-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

memory/828-2-0x000000001B710000-0x000000001B76C000-memory.dmp

memory/828-5-0x000000001B800000-0x000000001B80E000-memory.dmp

memory/828-6-0x000000001C830000-0x000000001CCFE000-memory.dmp

memory/828-7-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

memory/828-8-0x000000001CD00000-0x000000001CD9C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\kzxjfo0u.cmdline

MD5 8f825d52c38e40172351e84bdee93dd6
SHA1 32bcdfe8551640e3814258b686d2fd41ae13977a
SHA256 4d39f46c08134e512e276fd1c2c506f65c5b4b764a8f469271231d9474c615b2
SHA512 d39591260c2a317ce9b4fec2fffd48c43905a0f68bccfa74a50fcd58698dc6f066b0f6cbe7b6cf76e30a1c49a97b81ccf3a683385de41b94fa84d38c06c29611

\??\c:\Users\Admin\AppData\Local\Temp\kzxjfo0u.0.cs

MD5 f6eed912715ebfa4b016f02a332c2556
SHA1 ae0b4ea3fa5c0cf285f0116509445cac3f4b030d
SHA256 c722dc8a305148e73df8614281e23cb1ccd6fd6a274ba01ba48862b753aaa5e4
SHA512 31877d806278863b3e6ad1b98a0740110e1664534481bcc9ab84d42f5bea8209aa6a79f24020143c08c319fe10b695fc86f50affa3f7b0a4b06a3ac21bbbceb3

memory/416-16-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC735B.tmp

MD5 45c38b2f01262e1a99c8b7a9429ca327
SHA1 5cf40071fed614916384351065af050351e7d4b2
SHA256 06039e52861b40618e679e406b01da7b7fb9651d5c1e35bd6a23c261ccdd644e
SHA512 1e6dc7207796e849724c93a7f5b62556dfb8db405ceb789f767c0d0bfc38a3f519fb61d1681282c4da0355d1f0b2877768ee61a2cce1d20c33474e6745655d14

C:\Users\Admin\AppData\Local\Temp\RES735C.tmp

MD5 167d08dbb33776ad2694c606eb36bbfe
SHA1 2c5762d44306c953fdffa816797f5654e3befb94
SHA256 d0fd6f9b1b7cfb5dd562dbf09c00d71f2cd6aeb1cd01df6bf7826070ff407f55
SHA512 bde800c88975a6f118597c85c24fb15015824a210c737d3f64045d7b03a1daac2e7a434414dd952bdb0bd6307ebfe648659e70c0128719b71da4814c0e3e5c03

memory/416-21-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kzxjfo0u.dll

MD5 e2f483fba92afcac23f51d7907fc93d1
SHA1 5cf8990d0e07c80b724edb0f9dbcfc744a27a7f4
SHA256 3cc12f278a0f2fa67f78a454ffc20b65555fd6595cb72121c7df415f173e16b3
SHA512 00b1ea569f936907e0388f7d69eb87e9ea6ff2e6b687eb079fe4d996c613538fb872fbafb5eebe7c5c4d0063ad47c0b4428643fdf4f29ee7421e75c01482799b

memory/828-23-0x000000001B8F0000-0x000000001B906000-memory.dmp

memory/828-25-0x0000000001130000-0x0000000001142000-memory.dmp

memory/828-26-0x0000000001100000-0x0000000001108000-memory.dmp

memory/828-27-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

memory/828-28-0x00007FFFA7175000-0x00007FFFA7176000-memory.dmp

memory/828-29-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 72524fbc022c3beb0550f62e5e727343
SHA1 8671520865d2c9c31e63c4c8c5405bc6e16d30d1
SHA256 51fc8dc03eca49528064dc469aafa0d1df10bd5a48a22896dfc4c5cc5f8899a5
SHA512 a09077f5b6cfd692e7b088ed1c9da6ce4afc52ab1f60bce6f5968069d85ae78fe1bf23de185443e1ed01da01b262cc5c63e6a4cecca0bf8f5fac8a3aebe90157

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3628-36-0x0000000000B40000-0x0000000000C28000-memory.dmp

memory/828-37-0x00007FFFA6EC0000-0x00007FFFA7861000-memory.dmp

memory/3628-38-0x0000000002D20000-0x0000000002D32000-memory.dmp

memory/3628-39-0x0000000002D60000-0x0000000002D78000-memory.dmp

memory/3628-40-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/3628-41-0x000000001C9B0000-0x000000001C9C2000-memory.dmp

memory/3628-42-0x000000001DAB0000-0x000000001DAEC000-memory.dmp

memory/3628-43-0x000000001DC00000-0x000000001DD0A000-memory.dmp

memory/3628-44-0x000000001DEE0000-0x000000001E0A2000-memory.dmp

memory/3628-47-0x000000001C7E0000-0x000000001C7EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

memory/3628-55-0x000000001C810000-0x000000001C826000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\AForge.Video.DirectShow.dll

MD5 17ed442e8485ac3f7dc5b3c089654a61
SHA1 d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256 666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA512 9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

memory/3628-63-0x000000001D4D0000-0x000000001D514000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\SharpDX.dll

MD5 ffb4b61cc11bec6d48226027c2c26704
SHA1 fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA512 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

memory/3628-71-0x000000001D520000-0x000000001D56A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\SharpDX.Direct3D11.dll

MD5 98eb5ba5871acdeaebf3a3b0f64be449
SHA1 c965284f60ef789b00b10b3df60ee682b4497de3
SHA256 d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512 a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

memory/3628-79-0x000000001D570000-0x000000001D5CA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\SharpDX.Direct3D9.dll

MD5 934da0e49208d0881c44fe19d5033840
SHA1 a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA256 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512 de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

memory/3628-87-0x000000001C830000-0x000000001C856000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\SharpDX.DXGI.dll

MD5 2b44c70c49b70d797fbb748158b5d9bb
SHA1 93e00e6527e461c45c7868d14cf05c007e478081
SHA256 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512 faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

memory/3628-95-0x000000001E0B0000-0x000000001E204000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\TurboJpegWrapper.dll

MD5 ac6acc235ebef6374bed71b37e322874
SHA1 a267baad59cd7352167636836bad4b971fcd6b6b
SHA256 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA512 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

memory/3628-103-0x000000001DDE0000-0x000000001DE66000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\CSCore.dll

MD5 dde3ec6e17bc518b10c99efbd09ab72e
SHA1 a2306e60b74b8a01a0dbc1199a7fffca288f2033
SHA256 60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8
SHA512 09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

memory/3628-109-0x000000001E940000-0x000000001EE68000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_d2c1eb76639a415ebb82e3e5f8d92836\x64\turbojpeg.dll

MD5 b36cc7f7c7148a783fbed3493bc27954
SHA1 44b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256 c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512 c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-17 16:27

Reported

2025-01-17 16:30

Platform

win11-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nigger.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nigger.exe

"C:\Users\Admin\AppData\Local\Temp\nigger.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mvd_msfb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9403.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9402.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4580-0-0x00007FFE9DD65000-0x00007FFE9DD66000-memory.dmp

memory/4580-1-0x00007FFE9DAB0000-0x00007FFE9E451000-memory.dmp

memory/4580-2-0x000000001B580000-0x000000001B5DC000-memory.dmp

memory/4580-5-0x000000001B760000-0x000000001B76E000-memory.dmp

memory/4580-8-0x000000001C210000-0x000000001C2AC000-memory.dmp

memory/4580-7-0x00007FFE9DAB0000-0x00007FFE9E451000-memory.dmp

memory/4580-6-0x000000001BCA0000-0x000000001C16E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mvd_msfb.cmdline

MD5 237e33262631bd989af8c4f62d55643e
SHA1 d427f18e12d647228626b4367af74fb36f32aee2
SHA256 10de1bb3cbcdd27d7298e08262d658719bb1a36edf6fad26be252ad0cad9f4d5
SHA512 a7ebea50cf19f37a05c0379bbd8396eed52d825be56c84b2942fe9552b6b8928b5fddfb5f03419856651b0a915cb2f8d1de71338a6348f7774ebd6ee08926326

\??\c:\Users\Admin\AppData\Local\Temp\mvd_msfb.0.cs

MD5 baf44e58daf11ad1ab5fa63b8da48beb
SHA1 4aeaaf51b2bc42d1f63c0be08fc94faa94d749bf
SHA256 2b721f67919a9d21b6982bfb0bba22416daa8292b546fad8cd8dc56486cf77ea
SHA512 d00b49a64a8e2beb062a5dd84fc2977d3e1d4cfd469eaab86a2a0f09acda535f4d96fa7d8fcb2b64bca39f2b8490cb68cb778f58600f17dfc52fd3bf4bf7d8ae

memory/3600-14-0x00007FFE9DAB0000-0x00007FFE9E451000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC9402.tmp

MD5 0d527f1773899bbba56e9f6c74c40a9c
SHA1 f9b23171c1f4bed89ccb039a3c6dadb59dfa77ce
SHA256 7291073ac869582db3029e8383debc4c2222936c8ce10c92493c9ca127e7fa25
SHA512 f801471e925f5d38b1561c2bac94609e05447969cc2430748b86d16a7c62133641b8252446dd44a018e58ef2660b52010d6a74603a0916e956520b2ccdadeb8a

C:\Users\Admin\AppData\Local\Temp\RES9403.tmp

MD5 65847ff97e9aab0a8e6eca36d833b536
SHA1 063d4a22bd5a32f9e08919200f860361f6563bca
SHA256 a718032dd05b02b529c76632ed70662e274bf1ebf24cfc8de9bd3b8e61b2d16c
SHA512 72abb9fb51f4c96c64656fed9662dae6cc2043451d07813970dd3e6341cfff5e5cba9a0f173a44caab512c2d849f6712d766505f65d4ce92046e8f77edf01a52

memory/3600-21-0x00007FFE9DAB0000-0x00007FFE9E451000-memory.dmp

memory/4580-23-0x000000001B7A0000-0x000000001B7B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mvd_msfb.dll

MD5 fdbc3425a7e52e464a2ecec7498558c1
SHA1 bf34fc7f43118bb49aa25d681e80e4f83aa0ad7a
SHA256 0176f3ac62cec00ae8a522bc42d2c0ce9cdcacfb71b2b5d81a93d2ceff7cf9c0
SHA512 7f5c6bf33c404540da750f6c3f698c4480c48a6c6636527a7bed0ed3f47926db5ff991ebc0a71d92dcae8c3ddd47f08087a22adc0570bd0cc91cb7970d26a8fc

memory/4580-25-0x000000001B470000-0x000000001B482000-memory.dmp

memory/4580-26-0x000000001B440000-0x000000001B448000-memory.dmp

memory/4580-27-0x00007FFE9DAB0000-0x00007FFE9E451000-memory.dmp

memory/4580-29-0x00007FFE9DAB0000-0x00007FFE9E451000-memory.dmp