Malware Analysis Report

2025-03-15 06:54

Sample ID 231210-bdm6zsbbbj
Target ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed
SHA256 ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed

Threat Level: Known bad

The file ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus family

Orcurs Rat Executable

Orcus main payload

Orcus

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-10 01:01

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-10 01:01

Reported

2023-12-10 01:04

Platform

win7-20231023-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2212 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2212 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2148 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2148 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2148 wrote to memory of 2564 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2212 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe C:\Program Files\Orcus\Orcus.exe
PID 2212 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe C:\Program Files\Orcus\Orcus.exe
PID 2212 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe C:\Program Files\Orcus\Orcus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe

"C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnnqamvj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50A0.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp

Files

memory/2212-0-0x000000001AFA0000-0x000000001AFFC000-memory.dmp

memory/2212-1-0x0000000001DB0000-0x0000000001DBE000-memory.dmp

memory/2212-3-0x0000000001DF0000-0x0000000001E70000-memory.dmp

memory/2212-2-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2212-4-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\tnnqamvj.cmdline

MD5 960b38066e6b11881dc36ddef165dbd5
SHA1 c3efe3b09d43da15463cee32b10ed57d59342148
SHA256 1117e192e9599fe15d2d04ef816bd4a094e5b9044c1885ae1253fe45fd518bfd
SHA512 84c2f77cc93ac1f413aed976717676febb3ad1ca336155bd7ce95dbb0f08a812a80d0e991800ffddda468cef7fc16ecb744fd99d457c4552863d78faafcf0681

\??\c:\Users\Admin\AppData\Local\Temp\tnnqamvj.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

\??\c:\Users\Admin\AppData\Local\Temp\CSC50A0.tmp

MD5 215db6abee72b81ab4563548710cd9a9
SHA1 2837ba4cb901459810a5672b84cbfaf982ba5578
SHA256 7ac105d974f9ee7a085a0066cb84b5bed3d117bbe167a0779befcc57353530da
SHA512 65602401300e53f145be0f342ef02fbd0df96c504e7bb6aac90a9f88479671e765b52c9aa4f9d6b707c21a0695c072036c9d95a910f50749d62d7fa87448cb26

C:\Users\Admin\AppData\Local\Temp\RES50A1.tmp

MD5 d9ef64743f3b699b31b07e29019d4be5
SHA1 4f39ae0403a93474fc148fe229823399f2f365b1
SHA256 b9cd12ad2d78e238a5fe02ab44619f03fa084c1e1b01d7578480001002ac6321
SHA512 701e3ff86d85553196344279ed1b21aeb5191a92bd66029e11dea92415059ad9dbe8b217b5c5f69c86fa36e54869873fa2840ea6a43682fdae099210518ef854

memory/2212-17-0x000000001B040000-0x000000001B056000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tnnqamvj.dll

MD5 3dd7ba20f82e8eadf99dcaf7cbfae5ed
SHA1 266af9f788baf20b811581a44a3232ed169c1e60
SHA256 c1c8fb492f1b1bbdacaa19a1cc179423f62f79facf6b027799ec26b6f19afd6b
SHA512 bd66bb81e89f03ef671f68e42a15f3471af00a0e45beba1c83b9ee3b17dba5fae8ef44ecfa8bfd05bb26c526ed4128b42e4a36b6ebbcb840c1878ddcf05d3142

memory/2212-19-0x0000000001DE0000-0x0000000001DF2000-memory.dmp

memory/2212-20-0x000000001AF00000-0x000000001AF08000-memory.dmp

memory/2212-21-0x000000001AF90000-0x000000001AF98000-memory.dmp

memory/2212-22-0x0000000001DF0000-0x0000000001E70000-memory.dmp

memory/2212-26-0x0000000001DF0000-0x0000000001E70000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 de8b7fb309d25780aed16c57dbac7b6b
SHA1 83694155f1cf4548723063604bd7092db7dbe9e9
SHA256 ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed
SHA512 e266811afd132a68d5f246989ec08dca2bf827baa4d0ca077ff77586ee9a15f83b37962dd889476052befc79b902cca2fc97ef4362bad8b279ce24ca8fdf14fc

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2212-31-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 de8b7fb309d25780aed16c57dbac7b6b
SHA1 83694155f1cf4548723063604bd7092db7dbe9e9
SHA256 ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed
SHA512 e266811afd132a68d5f246989ec08dca2bf827baa4d0ca077ff77586ee9a15f83b37962dd889476052befc79b902cca2fc97ef4362bad8b279ce24ca8fdf14fc

memory/2660-33-0x0000000000E70000-0x0000000000F5A000-memory.dmp

memory/2660-34-0x000007FEECD80000-0x000007FEED76C000-memory.dmp

memory/2660-35-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2660-36-0x00000000006A0000-0x00000000006B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_9330fd5dd8ac40358129df34f738958a.dat

MD5 8750611c2595cb9c2eacedb7f88a4410
SHA1 d7dd230e90638a2b49f9db29c985aa3c9a4a2e35
SHA256 4d736b655d0a6fa83e0d5e52c8cfbbf91a5b3e6f8d02a1b507a0c34eb82fcaf2
SHA512 d1cd6d38d349875af95e908fb540c1954f6629efe933687da9aa039e4a74a43ad7480717137ec2cc63decdc6d984b52dc1055d47c199f869212607eeb113e76a

memory/2660-39-0x0000000000B90000-0x0000000000BA8000-memory.dmp

memory/2660-40-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/2660-41-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2660-42-0x000007FEECD80000-0x000007FEED76C000-memory.dmp

memory/2660-43-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2660-44-0x0000000000A10000-0x0000000000A90000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-10 01:01

Reported

2023-12-10 01:04

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe

"C:\Users\Admin\AppData\Local\Temp\ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d86qkwlr.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B04.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4B03.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
N/A 127.0.0.1:6667 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:6667 tcp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
N/A 127.0.0.1:6667 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:6667 tcp

Files

memory/4916-0-0x00007FF8C0BE0000-0x00007FF8C1581000-memory.dmp

memory/4916-1-0x000000001BFE0000-0x000000001C03C000-memory.dmp

memory/4916-2-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/4916-6-0x00007FF8C0BE0000-0x00007FF8C1581000-memory.dmp

memory/4916-5-0x000000001C0D0000-0x000000001C0DE000-memory.dmp

memory/4916-7-0x000000001C770000-0x000000001CC3E000-memory.dmp

memory/4916-8-0x000000001CCE0000-0x000000001CD7C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\d86qkwlr.cmdline

MD5 6e8a0f1123688ca70c5855353a4966b0
SHA1 97407de1a755ff49434da15e26f3808597000ed1
SHA256 4a518d1084a7cd055ab0ffe6b1c37a4f6f913e8a09c7c3e86200f0d3d6cefc5d
SHA512 802db96dba3977f0a79ab5ff32a88c6fb97446e6778d0a37129417e7484a7632002ca2b74091133abb0bc9c631c4aa273d74f30939a4c4d31acf5fc54d58f861

\??\c:\Users\Admin\AppData\Local\Temp\d86qkwlr.0.cs

MD5 1aa5d7f611716e08194557e8124f965d
SHA1 9e086b884aecf22edb6bb96501cec1c5f5a0d5b4
SHA256 4177854ff64ddabf0b2b39af9fd8197944e1e3d9b344941683f31b3a888f3fb7
SHA512 d4065fe4a0ddc1e57ddc90979094426e1a8de28acd2b01255c7aab41a616a854e6dfe943db07d4d4c97924d3b09bd2e9e94b8f9d8d5cf3f3de4b63b61ffbfcd8

memory/872-14-0x0000000000940000-0x0000000000950000-memory.dmp

memory/4916-22-0x000000001D2F0000-0x000000001D306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d86qkwlr.dll

MD5 264dfe11381706119496691fba0f2ccd
SHA1 25d8aa7c2a3bf799b8f06a14b27e1c4d351e7700
SHA256 9e6c2bca563831772a750c3fb389c91c01b16d21b169f5a7f46a8b7080132224
SHA512 f7e7da7cad6fe99ef3594115acccf04216eb9d70aff4ddd131386c44cdd04253268cde435390fa368685efa3f9dbb47e70d96f45262cd58a24d51f8c6f6ebddf

C:\Users\Admin\AppData\Local\Temp\RES4B04.tmp

MD5 499e57e13081a85888a69b3f1068f4f1
SHA1 247b2f4f62f4655b9761047324eaf89fa26410f4
SHA256 9ee699681ac56b4c3e8a35357ae9eb71bf618d11542a29d170fcbf2230bf2222
SHA512 f6a0fc03c1513fb54407caf7fdf731860240e1e1eb675b4d8e3f64659f22404c7bde844b1b22779453a1794bded8a44c363285fd9e17b148e49dc4d18c9bc7be

\??\c:\Users\Admin\AppData\Local\Temp\CSC4B03.tmp

MD5 d13fad546d53fbbcfeb0807f482ff591
SHA1 5fe752ad38a9481b1f5d2ac7461e742a293d8560
SHA256 bde9f5496372a1075cf32b80fc8c08938c7da5bd9db64f206ec209642af66cf4
SHA512 52b7dea36e0086926d5766ad813c1c14e39d70e5f7c33cdf99d60a666721550a75097ede4da3b109c0f8bd28848b925dd391f5e41c9790475851e89b5896bc80

memory/4916-26-0x0000000001B00000-0x0000000001B08000-memory.dmp

memory/4916-25-0x00000000019E0000-0x00000000019E8000-memory.dmp

memory/4916-24-0x0000000001A00000-0x0000000001A12000-memory.dmp

memory/4916-27-0x000000001D6E0000-0x000000001D742000-memory.dmp

memory/4916-28-0x000000001E040000-0x000000001E5FA000-memory.dmp

memory/4916-30-0x000000001D840000-0x000000001D85E000-memory.dmp

memory/4916-29-0x000000001E600000-0x000000001E6F0000-memory.dmp

memory/4916-31-0x000000001E700000-0x000000001E749000-memory.dmp

memory/4916-32-0x00000000019B0000-0x00000000019C0000-memory.dmp

memory/4916-33-0x000000001E7E0000-0x000000001E850000-memory.dmp

memory/4916-34-0x00000000019B0000-0x00000000019C0000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 de8b7fb309d25780aed16c57dbac7b6b
SHA1 83694155f1cf4548723063604bd7092db7dbe9e9
SHA256 ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed
SHA512 e266811afd132a68d5f246989ec08dca2bf827baa4d0ca077ff77586ee9a15f83b37962dd889476052befc79b902cca2fc97ef4362bad8b279ce24ca8fdf14fc

C:\Program Files\Orcus\Orcus.exe

MD5 de8b7fb309d25780aed16c57dbac7b6b
SHA1 83694155f1cf4548723063604bd7092db7dbe9e9
SHA256 ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed
SHA512 e266811afd132a68d5f246989ec08dca2bf827baa4d0ca077ff77586ee9a15f83b37962dd889476052befc79b902cca2fc97ef4362bad8b279ce24ca8fdf14fc

memory/4916-50-0x00007FF8C0BE0000-0x00007FF8C1581000-memory.dmp

memory/4656-51-0x0000000000500000-0x00000000005EA000-memory.dmp

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4656-53-0x000000001B290000-0x000000001B2A0000-memory.dmp

memory/4656-52-0x00007FF8BD0C0000-0x00007FF8BDB81000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 de8b7fb309d25780aed16c57dbac7b6b
SHA1 83694155f1cf4548723063604bd7092db7dbe9e9
SHA256 ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed
SHA512 e266811afd132a68d5f246989ec08dca2bf827baa4d0ca077ff77586ee9a15f83b37962dd889476052befc79b902cca2fc97ef4362bad8b279ce24ca8fdf14fc

memory/4656-54-0x0000000002670000-0x0000000002682000-memory.dmp

memory/4656-56-0x000000001B230000-0x000000001B26C000-memory.dmp

memory/4656-55-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/4656-57-0x000000001B7B0000-0x000000001B8BA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_9330fd5dd8ac40358129df34f738958a.dat

MD5 d8ae2cf2bc01a7cf06ea78b60a0ef924
SHA1 483e4a31c2fe58ba77ee8b3aaa88f2b7582b55eb
SHA256 b2e44deb3532a3ef02eda970dc818b7afd0d0ff57ec154f202e32bb917871e52
SHA512 018a00841441458721cdc67ce50e68517f746d83cba1427042c7ec0964f0e9b6f5291cf2e3697b841b7e167a739efc2f6fe6b505e27421ac5bfa5ef516537f59

memory/4656-60-0x00000000026F0000-0x0000000002708000-memory.dmp

memory/4656-61-0x0000000002790000-0x00000000027A0000-memory.dmp

memory/4656-62-0x000000001B290000-0x000000001B2A0000-memory.dmp

memory/4656-63-0x00007FF8BD0C0000-0x00007FF8BDB81000-memory.dmp

memory/4656-64-0x000000001B290000-0x000000001B2A0000-memory.dmp

memory/628-65-0x0000018EF4640000-0x0000018EF4650000-memory.dmp

memory/628-81-0x0000018EF4740000-0x0000018EF4750000-memory.dmp

memory/628-97-0x0000018EFCCB0000-0x0000018EFCCB1000-memory.dmp

memory/628-98-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-99-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-100-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-101-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-102-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-103-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-104-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-105-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-106-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-107-0x0000018EFCCE0000-0x0000018EFCCE1000-memory.dmp

memory/628-108-0x0000018EFC900000-0x0000018EFC901000-memory.dmp

memory/628-109-0x0000018EFC8F0000-0x0000018EFC8F1000-memory.dmp

memory/628-111-0x0000018EFC900000-0x0000018EFC901000-memory.dmp

memory/628-114-0x0000018EFC8F0000-0x0000018EFC8F1000-memory.dmp

memory/628-117-0x0000018EF3FF0000-0x0000018EF3FF1000-memory.dmp

memory/628-129-0x0000018EFCA30000-0x0000018EFCA31000-memory.dmp

memory/628-131-0x0000018EFCA40000-0x0000018EFCA41000-memory.dmp

memory/628-133-0x0000018EFCB50000-0x0000018EFCB51000-memory.dmp

memory/628-132-0x0000018EFCA40000-0x0000018EFCA41000-memory.dmp