Malware Analysis Report

2025-03-15 06:51

Sample ID 240105-bdvwtsfhb6
Target f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c
SHA256 f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c
Tags
tag orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c

Threat Level: Known bad

The file f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c was found to be: Known bad.

Malicious Activity Summary

tag orcus rat spyware stealer

Orcus

Orcus family

Orcurs Rat Executable

Orcus main payload

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 01:02

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 01:02

Reported

2024-01-05 01:04

Platform

win7-20231215-en

Max time kernel

1s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2516 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2516 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2400 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2400 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2400 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2516 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe C:\Program Files\Orcus\Orcus.exe
PID 2516 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe C:\Program Files\Orcus\Orcus.exe
PID 2516 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe C:\Program Files\Orcus\Orcus.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe

"C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e9azomoy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF4C.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9979E28C-CC0A-4B33-A7C0-18A06467E7E4} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

Network

Country Destination Domain Proto
N/A 192.168.0.108:10134 tcp
N/A 192.168.0.108:10134 tcp
N/A 192.168.0.108:10134 tcp
N/A 192.168.0.108:10134 tcp
N/A 192.168.0.108:10134 tcp
N/A 192.168.0.108:10134 tcp

Files

memory/2516-1-0x0000000000280000-0x000000000028E000-memory.dmp

memory/2516-2-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/2516-4-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/2516-3-0x0000000002260000-0x00000000022E0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\e9azomoy.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

\??\c:\Users\Admin\AppData\Local\Temp\e9azomoy.cmdline

MD5 d483d6a6e728c589ef2aa0ef61eca41d
SHA1 df788217bb71d680e098ddec634d4d4210146cc9
SHA256 ce1aede5e354bb4fc4a4373d56ba7e68063a8829ea32bb7ca7b8227273464d55
SHA512 df599778b84115763a7ba9f078150be2b2c5bd85add3b7fdca2f30781d62a5c6f1a2129495273f66bc7c794930b75fe61d26787a7747101100988ef524a4ddf3

memory/2516-18-0x0000000002210000-0x0000000002226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e9azomoy.dll

MD5 c25acb669f1ffb2856ee8d3fdde39f5e
SHA1 8c6da0481a7f54b3a37813cd1bd8805bee47484e
SHA256 d3c0aa979ab869e5995f228dbaef667ead9c77a907b70f8bb15657f257fd3734
SHA512 54b9525a80860f3654647cda65bdb0543184e4aee072c88c977489becec0ff51846307cba093fe5c6bc48d4a1b1a507d36c0fdaec4b5aaec3ba2eee5fe6941cd

C:\Users\Admin\AppData\Local\Temp\RESF4D.tmp

MD5 e0d56fa8691f680b91224e9d226c6630
SHA1 759417e2a35f34b6e9a7b99bd9b801f542533cb4
SHA256 fff59d9c5789bb7a82b925d15c0f37e32fe310e8c429486501497f8ef5139514
SHA512 1ece1278671955f3931e379214c477ce9af734b9f34cd7bba6245241df26c7a1588b7baa2c825ea3bd133e26e5fd2b6af29bae6d916bd03eac5cd63bad58009e

memory/2516-21-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/2516-20-0x00000000002B0000-0x00000000002C2000-memory.dmp

memory/2516-28-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 ae83a7d514ec7004c1a86b5f3291d061
SHA1 186c0f72aace5031e13b88ecc16cbde1276c05bb
SHA256 297a8baa084a81fca7b1d4ae4b423e879f1d0a9de2591c56dfe3746ec3d33c8b
SHA512 151c2d61e5cd3990e7ab312dc55f19df38562f3ad8ca8de0d807f635ed10ef640090118def0d11d9b4948ab0100445903db6571be578d9b40571a7d33aa33b6d

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2852-30-0x00000000008B0000-0x000000000099A000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 e801664733076c11727f687064e54e05
SHA1 6fe374fd2e3d102f7bcf548af22413f29dccecbb
SHA256 12f93700e481064d2e9b19fa78101693ecde6fcae4220c88f413609a979622fa
SHA512 dcb7ace6db84608608d9e66941034fe30e82f26b04d3770fac663baa4f0fde6a5cfeb7342aaa5ed0994b083085332acc889203b05f7d4fbccab2ac3686ac4972

memory/2852-32-0x000000001A820000-0x000000001A8A0000-memory.dmp

memory/2852-31-0x000007FEEE610000-0x000007FEEEFFC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCF4C.tmp

MD5 996bfdf20c0dc2ad57c54ab94a53da35
SHA1 69d032a9ca5da10889ee9005fc30af2ad4f6cb5b
SHA256 59b888e248fba3249a4b7bd27d6ab7500e9b59407ef0e7061093f627cae4ad5e
SHA512 1c9c5b5a3a0e7e5e0a6deae9a3ad8ae436cea7c00b0bfb759465d245c53feb9b73fef8141fc075b45cf0fbb4e624014b9459546d3be872e8ee3a7bf606c96260

memory/2400-10-0x0000000000740000-0x00000000007C0000-memory.dmp

memory/2516-0-0x000000001AEA0000-0x000000001AEFC000-memory.dmp

memory/2852-34-0x0000000000430000-0x000000000047E000-memory.dmp

memory/2852-33-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2852-35-0x0000000000880000-0x0000000000898000-memory.dmp

memory/2852-36-0x0000000002140000-0x0000000002150000-memory.dmp

memory/2852-37-0x000000001A820000-0x000000001A8A0000-memory.dmp

memory/2644-40-0x00000000003B0000-0x0000000000430000-memory.dmp

memory/2644-39-0x000007FEEE610000-0x000007FEEEFFC000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 e3d797b76f2a4d7ba1507c82cf1bc42f
SHA1 5ae2c53740cf386c9f85a88b1e5f1f7a74d51638
SHA256 a385c6cab43ad63a9fe18a0a311b8c9dfc3dc896746e415336118c0207f08a25
SHA512 946ff7588778593ecd525f73e61565a22a1832a3a0eaf0dadd99bdfb8a0d0a0972df48db07386334b7f488aad504fc8feedca2c2086e692586e4ece80ffcdb19

memory/2644-41-0x000007FEEE610000-0x000007FEEEFFC000-memory.dmp

memory/2852-42-0x000007FEEE610000-0x000007FEEEFFC000-memory.dmp

memory/2852-43-0x000000001A820000-0x000000001A8A0000-memory.dmp

memory/2852-44-0x000000001A820000-0x000000001A8A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 01:02

Reported

2024-01-05 01:05

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe

"C:\Users\Admin\AppData\Local\Temp\f968e51569c3cd788933a632b81cd1529ed658bdacc5f66565a4be3c807a081c.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ob3ayr7f.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7475.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7455.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 192.168.0.108:10134 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 192.168.0.108:10134 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 192.168.0.108:10134 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 192.168.0.108:10134 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
N/A 192.168.0.108:10134 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
N/A 192.168.0.108:10134 tcp

Files

memory/4196-0-0x00007FFDA5090000-0x00007FFDA5A31000-memory.dmp

memory/4196-1-0x000000001B1C0000-0x000000001B21C000-memory.dmp

memory/4196-5-0x000000001B2B0000-0x000000001B2BE000-memory.dmp

memory/4196-6-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/4196-2-0x00007FFDA5090000-0x00007FFDA5A31000-memory.dmp

memory/4196-7-0x000000001B890000-0x000000001BD5E000-memory.dmp

memory/4196-8-0x000000001BE00000-0x000000001BE9C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ob3ayr7f.cmdline

MD5 5b31e29fc31a4348388b720c61c8e931
SHA1 8e1b966e3292dc0595725e4b1090c9261bcb36ae
SHA256 3b1adc798e42375463096a49db5aa830dd84df28ace459f6bf004740aa092b94
SHA512 74acee11d7a3ce7b0e10f185a1645688036c1318e8a4219f42cb4483c63d1c8ec0b62d2bd4d4e1c872d0823c12c1b8feb619d13f5761879d8f5dfa26b7954113

\??\c:\Users\Admin\AppData\Local\Temp\ob3ayr7f.0.cs

MD5 d7a1ebd907af8d3007bf3b67794f48f8
SHA1 91c6b7be0e5f198c3e23dfd87faac5ef5b8be9bf
SHA256 e5f37a179dc755b4c4eaf65f3d56a4c48c15aab89afdd5993aa08e9c2df4bf0f
SHA512 9e3eff6790f6b69a23f06cafb551c5faf853ba6b7f809ec6ae320d06da5c5fac53ea5df0ff1965db5982dfe6f8f87e325bdf76816a6a383cbe69f42d9674c821

memory/3532-14-0x00000000022D0000-0x00000000022E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ob3ayr7f.dll

MD5 6465dd2596144a2f94d37e3c9065441a
SHA1 604127fa7ff5b3f3791e14a4301acc1ef72953dd
SHA256 63f099d12de1e9e45c7f17487b5699f70e7a8492c68c48648ef3232894256918
SHA512 6ccb76745114f8bafc188467054bdc0ebb9a9e388ee2d76ba2e713a745684e281b0529d354548fc8aefa3ffc7863237f64397696aee29b9e5a6f3d31f675ccd6

memory/4196-22-0x000000001C4C0000-0x000000001C4D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES7475.tmp

MD5 56c3f42fbbfb0b2b827ab180ded20db0
SHA1 840e9a2ce4c255f0052861d89f16cc5aff1b83f6
SHA256 745d7c9f063aed76ab6d54ad230fd071b9bb7e8b3c9115884850ae8ce91bcd35
SHA512 2dbb5d504b872f528d2fbdd81b3d80c3b9586d29d6b3211f2bff10e1816dda8c2e8360c57708d98f58c887053e6d7e921a74b3b95d1a01c8eda15efbc5904b2d

\??\c:\Users\Admin\AppData\Local\Temp\CSC7455.tmp

MD5 4c6c0b431ffcf88a1eb42d6bf7e472e3
SHA1 d5e0ef3b3291867fa79e56c314e94d88ab373045
SHA256 0cf0d3b9ee326f7c34c5516aa37f505979e415295e3335873325dd16eb36bade
SHA512 2aff0e4569ce0841f6cfa83c7c6bceaaaf55650505fcf235485d1d5daee7a3c45832fb4f4aa6ccc1f48b32d31738e5c1f890c2d1425b1a4c3ab85d361fd7ac6b

memory/4196-24-0x0000000000C40000-0x0000000000C52000-memory.dmp

memory/4196-25-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 780c61495d67ae4a08460529b2b2eb70
SHA1 69af57ea43120069494552ca180bf40590db562b
SHA256 3d6e0d21450547d4add51f66dac93640d8547ac8ab693e40b0bdcfb1ca26a179
SHA512 77bd6e00812f95ed272a79b5c18602679e89c697d26c7a04e98dbca6cafa4dd04ae9a398df4a26b67ca35e04ed98c563bca26213b3eae27a0fdcba3e53c6f792

C:\Program Files\Orcus\Orcus.exe

MD5 e760cf6407d28ed572ddb3d47bf38e96
SHA1 8bb4ee2f5655efb8864a3205fa31af99b7dd9a25
SHA256 340b967e23f74a1b901a7ec30bb4a994624072f557b48fe5645268d4894fd468
SHA512 237a480f31bc115574cb10d1a9391b0cebb5dda9bb3f742fc06185b410c1a402033ee1e338461bc761ac827181d95e6b42e49f409861c5965e4ebecdde968e8a

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Program Files\Orcus\Orcus.exe

MD5 b694a836dd4d98db880c8bd493eed09c
SHA1 8dad4da9e174a0231267900318bc0ade4c4f16a1
SHA256 6082e38d1ee082e13109189d61ae285eddecc64c66ccca303b0fa4fed8e49f45
SHA512 01e3e47a53943231ea7ec102ec5ee509444e21d0e0b24c152518dcaaea251ba32bcaa6f6538669d4c498b53a5ed4c64b62608b707a877feb6c60827933836a15

memory/1020-40-0x00000000000A0000-0x000000000018A000-memory.dmp

memory/4196-41-0x00007FFDA5090000-0x00007FFDA5A31000-memory.dmp

memory/1020-42-0x00007FFDA0E50000-0x00007FFDA1911000-memory.dmp

memory/1020-43-0x000000001AE70000-0x000000001AE80000-memory.dmp

memory/1020-44-0x0000000002300000-0x0000000002312000-memory.dmp

memory/1020-45-0x000000001AE80000-0x000000001AECE000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 74e4e6f39457d2c793f77afb13f4b144
SHA1 40ec22ad778f2005f43f37e3db45804e01de111a
SHA256 3610200f3e2b3b31e038578678cf4f2e00586893d26272cf14b708230f9b619a
SHA512 94adfaa5fdfbb918a5a68ba1eb511dde5e5b5cfb24d6c617a61c9125554a596197b61ceae1fa5c9664b2ad61bd86e9684d92ff266712419b61d380dbda43faaa

memory/1020-47-0x000000001AE40000-0x000000001AE58000-memory.dmp

memory/1020-49-0x000000001B600000-0x000000001B7C2000-memory.dmp

memory/1020-50-0x000000001AED0000-0x000000001AEE0000-memory.dmp

memory/3772-48-0x00007FFDA0E50000-0x00007FFDA1911000-memory.dmp

memory/3772-51-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

memory/3772-53-0x00007FFDA0E50000-0x00007FFDA1911000-memory.dmp

memory/1020-54-0x00007FFDA0E50000-0x00007FFDA1911000-memory.dmp

memory/1020-55-0x000000001AE70000-0x000000001AE80000-memory.dmp

memory/1020-56-0x000000001AE70000-0x000000001AE80000-memory.dmp