Malware Analysis Report

2025-01-22 15:10

Sample ID 240212-bf3pfsfh64
Target a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0
SHA256 a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0

Threat Level: Known bad

The file a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus main payload

Orcus family

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-12 01:06

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 01:06

Reported

2024-02-12 01:08

Platform

win7-20231129-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2168 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2168 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2336 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2336 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2336 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2168 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe C:\Program Files\Orcus\Orcus.exe
PID 2168 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe C:\Program Files\Orcus\Orcus.exe
PID 2168 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe C:\Program Files\Orcus\Orcus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe

"C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aa8-iqee.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15A4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC15A3.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 192.168.0.18:10134 tcp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 26.65.233.242:10135 tcp

Files

memory/2168-0-0x0000000002320000-0x000000000237C000-memory.dmp

memory/2168-1-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2168-3-0x0000000000AA0000-0x0000000000B20000-memory.dmp

memory/2168-2-0x0000000000430000-0x000000000043E000-memory.dmp

memory/2168-4-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\aa8-iqee.cmdline

MD5 3cc7ef3c7484abd5496024f3f8017e95
SHA1 1ae43d43d148fe98c08f1ea2f631d31ae3147934
SHA256 763a47402fd93ef91c27a7320b82f54026e0556a1d8e632f78f901074fe2b128
SHA512 6b5e57428d2367f0e76cdf57b841b15818174c72c33d4d051eb6aa251d7371ce56e4a0712d2da0a08db0e5e8d3e8bf93030e327ca4688acf4898102df9142933

\??\c:\Users\Admin\AppData\Local\Temp\aa8-iqee.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

\??\c:\Users\Admin\AppData\Local\Temp\CSC15A3.tmp

MD5 a035be04dfcce3b7557ae72a79e4eb74
SHA1 0955749731fa4227c02db2fa4466e26e4e46c386
SHA256 7c479bc80789023a5ac649a629b44312181bc234780644dea700f10c11c3009f
SHA512 85adb182216e4aa4116a1872559d98de06fc49ee3efe7ffde99c7bf7bfacd82507d3bdcc04d1995ca4ad1138192769e600d06e7aba696c1e9404beb4e99c3c73

C:\Users\Admin\AppData\Local\Temp\RES15A4.tmp

MD5 b709b10d8f3a9e97bbee648533acb269
SHA1 5f6c51f06e75dc88740ece26be3faf225e70f056
SHA256 7881d064d23a2ba69490be99cb55d01bc6efe589f1b64e216ae0285a5a9cfd0e
SHA512 9dba0881920ed6c2a7b0bae90f02e2e64f6df502de90454553b75e3d96f0ddcb771350d0daf59303e27c1d90c8eaac449872a16558eb4e0b984e6d6a62a4d1d4

memory/2168-17-0x0000000000DC0000-0x0000000000DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aa8-iqee.dll

MD5 a769b0e6641107227ad02d99caadd768
SHA1 27b941f5839d487ffb68e24318e100e86201635d
SHA256 32d0fa6498416cca64fdced216ff405e2bc9e543064499f5a343093f9adcfbac
SHA512 887bcf7c5ff82eeed1fd07af0810891eb82cae58c354a5d00b50c0ce3216c7b6f512ac1bd0e40b45faa26d69661fd45c8962850be1b9453481b85027ddf51095

memory/2168-19-0x0000000000460000-0x0000000000472000-memory.dmp

memory/2168-20-0x0000000000D90000-0x0000000000D98000-memory.dmp

memory/2168-21-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

memory/2168-22-0x0000000000AA0000-0x0000000000B20000-memory.dmp

memory/2168-26-0x0000000000AA0000-0x0000000000B20000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 6eb2f8547792eddb8370fad585a891d2
SHA1 a629a13596e00876b867a0a58254fa50a5e34922
SHA256 a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0
SHA512 632c2a56ef6b8d741d589b0231d834f445f301c66bbb243690a06b7df629408f908075f6972e971c7b798595d522f1892886a6f7c201e9892e7fbe38414a1344

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2168-31-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2544-33-0x0000000001280000-0x00000000013A8000-memory.dmp

memory/2544-34-0x000007FEEC700000-0x000007FEED0EC000-memory.dmp

memory/2544-35-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2544-36-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_436815d745b549a18fadaea7c4bea111.dat

MD5 00502de7a470cb4a866c0b6715f82831
SHA1 0e0d44dda0a7d4095613a187fb4678997f0f6e26
SHA256 d4748af0cd7e208f3adb87471ff593093a2c679d9674ee5a1b8b8483be66a168
SHA512 70a2a94a048531a184df375cfbe7ce3468ec4abfbf11d25033b50950e6d6c9779b8e5a0238d35488ca6e70f85dbca3d5e861662444a2c55df531c773466a2132

memory/2544-39-0x0000000000E40000-0x0000000000E58000-memory.dmp

memory/2544-40-0x0000000000E70000-0x0000000000E80000-memory.dmp

memory/2544-41-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2544-42-0x000007FEEC700000-0x000007FEED0EC000-memory.dmp

memory/2544-43-0x000000001AFE0000-0x000000001B060000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 01:06

Reported

2024-02-12 01:08

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe

"C:\Users\Admin\AppData\Local\Temp\a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ytz8chy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AF2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5AF1.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
N/A 192.168.0.18:10134 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 26.65.233.242:10135 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
N/A 192.168.0.18:10134 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 26.65.233.242:10135 tcp
N/A 192.168.0.18:10134 tcp
US 26.65.233.242:10135 tcp

Files

memory/1916-0-0x00007FFB54820000-0x00007FFB551C1000-memory.dmp

memory/1916-2-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/1916-1-0x000000001B7E0000-0x000000001B83C000-memory.dmp

memory/1916-5-0x000000001B9D0000-0x000000001B9DE000-memory.dmp

memory/1916-7-0x000000001BEF0000-0x000000001C3BE000-memory.dmp

memory/1916-6-0x00007FFB54820000-0x00007FFB551C1000-memory.dmp

memory/1916-8-0x000000001C460000-0x000000001C4FC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\8ytz8chy.cmdline

MD5 f26c84885ebef34d32b51d692fbd1d51
SHA1 7b842cba9c6933d04f0f19c241179ba24ffa250c
SHA256 99e6478469f3c8b2cfe0d9db7235128906a2c6480e0319a7d24a2edb1ef52a84
SHA512 70b4efb9b07d1cb5678afb3f217088e13f365d9fce5dcd7e66cd2c8f4d13ff9db26906c5423438626c526ccf769bc6f86af44fecb37fc4a2851fda194e0672ba

\??\c:\Users\Admin\AppData\Local\Temp\8ytz8chy.0.cs

MD5 80daf99a122bb2ca9f51f2aae63c4e73
SHA1 bbeb2370e64c1d0dbf7e789c2d8bf20e650d691b
SHA256 7b53f029a8575502f2f1942a381a7f3180cf82458b777563a6529a85316f94dc
SHA512 cc8ddcccce18eacfa5116e9ff2ae1c1f3558f7bdc3d47cc0bac455f958547cca01b5cb7ddb296c6d609f2a69ea2f2baa2bcdfd65f56f5ba06e718494982616be

memory/3248-14-0x0000000002280000-0x0000000002290000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC5AF1.tmp

MD5 57bc1d093fb2325c047476675b36d75d
SHA1 a745d8c7518f4a4c2d8f16f147f0234c40e98524
SHA256 5d571c4710c208f2d25d5542fd67f60b00b329e25ec87cb8d793b770122ea418
SHA512 2183a3fdb9cab85b056227dd354ddba28361ff170189fc416cc84a2da24953cab1f686bc9bc62905453413c73810f8de61ac5ff86b0cb5c299bf806725980855

C:\Users\Admin\AppData\Local\Temp\8ytz8chy.dll

MD5 924ebd09507c02710e2cd57ad7232f7b
SHA1 983cc928c41daa1ba705f15672e8571236258bc7
SHA256 b5da98cd8ed1f3e921248f54cb85a4c1ff7f290502fb9c68aa7d2264136fa451
SHA512 576d2744691e93e2d2774392ac5aab6185058e5cb8fed3581328e68e6b13818b8f5c4d3782861f51fe4efaeb5353b7e4961e5ca2ea3e4abf60fdb176fd6b762e

memory/1916-22-0x000000001CAF0000-0x000000001CB06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES5AF2.tmp

MD5 f51ff79c0a089a6c86698a31539f8f4b
SHA1 36a29bdf6dadd1fc7055fecac0078550d80b4763
SHA256 c258cb7678916890bd6e60f4ac33a192639f2436e135d9b5e800eaa9af204007
SHA512 809dc57e4048fa103258cee2aaab09f0d097c71711b61fbccc35dff5cff4c36ddfb5b0c1eb459dff2bd2a08b5654edd05ab7e242cea95345b31e0ab146852050

memory/1916-24-0x0000000001210000-0x0000000001222000-memory.dmp

memory/1916-25-0x00000000011F0000-0x00000000011F8000-memory.dmp

memory/1916-26-0x000000001B7D0000-0x000000001B7D8000-memory.dmp

memory/1916-27-0x000000001CEE0000-0x000000001CF42000-memory.dmp

memory/1916-28-0x000000001D840000-0x000000001DDFA000-memory.dmp

memory/1916-29-0x000000001DE00000-0x000000001DEF0000-memory.dmp

memory/1916-30-0x000000001D040000-0x000000001D05E000-memory.dmp

memory/1916-31-0x000000001DF00000-0x000000001DF49000-memory.dmp

memory/1916-32-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/1916-33-0x000000001DFE0000-0x000000001E050000-memory.dmp

memory/1916-34-0x0000000000FF0000-0x0000000001000000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 6eb2f8547792eddb8370fad585a891d2
SHA1 a629a13596e00876b867a0a58254fa50a5e34922
SHA256 a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0
SHA512 632c2a56ef6b8d741d589b0231d834f445f301c66bbb243690a06b7df629408f908075f6972e971c7b798595d522f1892886a6f7c201e9892e7fbe38414a1344

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4900-52-0x00007FFB51810000-0x00007FFB522D1000-memory.dmp

memory/4900-51-0x00000000002F0000-0x0000000000418000-memory.dmp

memory/1916-50-0x00007FFB54820000-0x00007FFB551C1000-memory.dmp

memory/4900-53-0x000000001B310000-0x000000001B320000-memory.dmp

memory/4900-54-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

memory/4900-56-0x0000000002760000-0x000000000279C000-memory.dmp

memory/4900-55-0x0000000000E10000-0x0000000000E22000-memory.dmp

memory/4900-57-0x000000001B730000-0x000000001B83A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_436815d745b549a18fadaea7c4bea111.dat

MD5 cfff640f5393152fb703ebac7c07b3a3
SHA1 668d3e9034b912b4b8d034339adbee83c56448e7
SHA256 690041c240cfe37472f532f2459887bb7ddce33c1806b59d07970f11fbadad77
SHA512 4b0fd49c277e9313811037ca8ecd9051169627b81fd7f7a83eb9c4804290d3ea960b710c4979b527cba54d27ed8ccb8260432a788d36d2b510f34e0dc9b8fb9d

memory/4900-60-0x00000000026F0000-0x0000000002708000-memory.dmp

memory/4900-61-0x000000001B090000-0x000000001B0A0000-memory.dmp

memory/4900-62-0x000000001B310000-0x000000001B320000-memory.dmp

memory/4900-63-0x00007FFB51810000-0x00007FFB522D1000-memory.dmp

memory/4900-64-0x000000001B310000-0x000000001B320000-memory.dmp

memory/4900-65-0x000000001B310000-0x000000001B320000-memory.dmp