Analysis Overview
SHA256
a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16
Threat Level: Known bad
The file a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 was found to be: Known bad.
Malicious Activity Summary
Orcus main payload
Orcus
Orcus family
Orcurs Rat Executable
Orcurs Rat Executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-08 01:08
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-08 01:07
Reported
2023-12-08 01:10
Platform
win7-20231201-en
Max time kernel
126s
Max time network
150s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2696 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe
"C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe"
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
"C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {98F72091-A208-426B-BF6F-8F94065519B4} S-1-5-21-1502336823-1680518048-858510903-1000:XARGEIVJ\Admin:Interactive:[1]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41931.client.sudorat.top | udp |
| RU | 31.44.184.52:41931 | 41931.client.sudorat.top | tcp |
| N/A | 127.0.0.1:1111 | tcp |
Files
memory/1728-1-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/1728-0-0x0000000000100000-0x00000000003FE000-memory.dmp
memory/1728-2-0x00000000007F0000-0x0000000000830000-memory.dmp
memory/1728-3-0x0000000000590000-0x000000000059E000-memory.dmp
memory/1728-4-0x0000000000B60000-0x0000000000BBC000-memory.dmp
memory/1728-5-0x0000000000720000-0x0000000000732000-memory.dmp
\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/1728-17-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2696-16-0x0000000000C40000-0x0000000000F3E000-memory.dmp
memory/2696-18-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2696-19-0x0000000004D40000-0x0000000004D80000-memory.dmp
memory/2696-20-0x00000000006A0000-0x00000000006B2000-memory.dmp
memory/2696-21-0x0000000000B70000-0x0000000000BBE000-memory.dmp
memory/2744-22-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2744-24-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2744-26-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2744-27-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2744-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2744-30-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2696-31-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2744-33-0x0000000000400000-0x00000000006FE000-memory.dmp
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
memory/2612-36-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2744-37-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2612-38-0x0000000004B40000-0x0000000004B80000-memory.dmp
memory/2744-39-0x0000000000960000-0x0000000000978000-memory.dmp
memory/2744-40-0x00000000009B0000-0x00000000009C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1364.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2744-57-0x0000000001020000-0x000000000102E000-memory.dmp
memory/2744-58-0x0000000002870000-0x0000000002872000-memory.dmp
memory/2612-59-0x00000000743B0000-0x0000000074A9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
memory/2068-62-0x00000000011C0000-0x00000000014BE000-memory.dmp
memory/2068-61-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2068-63-0x0000000000520000-0x0000000000560000-memory.dmp
memory/2068-64-0x00000000743B0000-0x0000000074A9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
memory/1604-67-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/1604-66-0x0000000001340000-0x000000000163E000-memory.dmp
memory/1604-68-0x00000000012C0000-0x0000000001300000-memory.dmp
memory/1604-69-0x00000000743B0000-0x0000000074A9E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-08 01:07
Reported
2023-12-08 01:10
Platform
win10v2004-20231127-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4788 set thread context of 1568 | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
| PID 3992 set thread context of 4564 | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe
"C:\Users\Admin\AppData\Local\Temp\a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16.exe"
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
"C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe"
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41931.client.sudorat.top | udp |
| RU | 31.44.184.52:41931 | 41931.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.184.44.31.in-addr.arpa | udp |
| N/A | 127.0.0.1:1111 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/3768-1-0x0000000000710000-0x0000000000A0E000-memory.dmp
memory/3768-0-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/3768-2-0x0000000002E20000-0x0000000002E30000-memory.dmp
memory/3768-3-0x0000000002E30000-0x0000000002E3E000-memory.dmp
memory/3768-4-0x00000000053D0000-0x000000000542C000-memory.dmp
memory/3768-5-0x0000000005D10000-0x00000000062B4000-memory.dmp
memory/3768-6-0x0000000005760000-0x00000000057F2000-memory.dmp
memory/3768-7-0x0000000005C50000-0x0000000005C62000-memory.dmp
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/3768-24-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4788-23-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4788-25-0x00000000016C0000-0x00000000016D0000-memory.dmp
memory/4788-26-0x0000000005E60000-0x0000000005EAE000-memory.dmp
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
memory/4788-28-0x00000000067C0000-0x000000000685C000-memory.dmp
memory/1568-31-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4788-32-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1568-33-0x00000000052A0000-0x00000000052B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sqldb.exe.log
| MD5 | 663b8d5469caa4489d463aa9bc18124f |
| SHA1 | e57123a7d969115853ea631a3b33826335025d28 |
| SHA256 | 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8 |
| SHA512 | 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55 |
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
memory/3992-37-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/3992-38-0x0000000004E20000-0x0000000004E30000-memory.dmp
memory/1572-39-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4564-40-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4564-41-0x0000000005200000-0x0000000005210000-memory.dmp
memory/1568-42-0x0000000005BA0000-0x0000000005BB8000-memory.dmp
memory/1568-43-0x0000000006520000-0x0000000006530000-memory.dmp
memory/1568-44-0x00000000069A0000-0x00000000069AA000-memory.dmp
memory/1568-47-0x0000000007100000-0x0000000007166000-memory.dmp
memory/1572-48-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4564-50-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1568-51-0x0000000007790000-0x0000000007DA8000-memory.dmp
memory/1568-52-0x0000000007210000-0x0000000007222000-memory.dmp
memory/1568-53-0x0000000007270000-0x00000000072AC000-memory.dmp
memory/1568-54-0x00000000072B0000-0x00000000072FC000-memory.dmp
memory/1568-55-0x0000000007460000-0x000000000756A000-memory.dmp
memory/1568-56-0x0000000007DB0000-0x0000000007F72000-memory.dmp
memory/1568-57-0x0000000007630000-0x000000000763E000-memory.dmp
memory/1568-58-0x0000000008220000-0x0000000008270000-memory.dmp
memory/1568-59-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1568-60-0x00000000052A0000-0x00000000052B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
memory/1796-62-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1796-63-0x00000000052F0000-0x0000000005300000-memory.dmp
memory/1796-64-0x00000000746C0000-0x0000000074E70000-memory.dmp
C:\Users\Admin\AppData\Roaming\phpdb\sqldb.exe
| MD5 | 46c99087ac08294ad362ad6e78f9a2f2 |
| SHA1 | d813fdcb345b6aa77a788168cc9d93e4ca4f1de6 |
| SHA256 | a73df758241b27144774e86fc91a3006f37f867cff7aef89da0a1de89ab51a16 |
| SHA512 | 594572c4f73ac4f9fa85e088eef61014cd93d96f27a7a6c7556bfd958d951395b43ce90ed20010262bbedfa5a5e35853475cf7455b1a5c408a39f3e10f5e5bf4 |
memory/2176-66-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/2176-67-0x0000000005BA0000-0x0000000005BB0000-memory.dmp
memory/2176-68-0x00000000746C0000-0x0000000074E70000-memory.dmp