Malware Analysis Report

2025-01-22 15:04

Sample ID 240213-p6a9sabe99
Target Orcus.Administration.exe
SHA256 911e3e95efddbae9d1c2f4b04027567c76823116755097b5868b7241c7e30cbc
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

911e3e95efddbae9d1c2f4b04027567c76823116755097b5868b7241c7e30cbc

Threat Level: Known bad

The file Orcus.Administration.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus family

Orcus

Orcurs Rat Executable

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-13 12:56

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 12:56

Reported

2024-02-13 13:27

Platform

win7-20231129-en

Max time kernel

1556s

Max time network

1557s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe

"C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 544

Network

N/A

Files

memory/2956-0-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2956-1-0x0000000000C10000-0x0000000001C4E000-memory.dmp

memory/2956-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 12:56

Reported

2024-02-13 13:27

Platform

win10v2004-20231215-en

Max time kernel

1799s

Max time network

1760s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\OrcusRAT-main\OrcusRAT-main\Orcus.Administration.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133523027402236246" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 436 wrote to memory of 2972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 2972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 1792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 4156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 4156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 436 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe

"C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4236 -ip 4236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 832

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8b69d9758,0x7ff8b69d9768,0x7ff8b69d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4660 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5280 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3172 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5560 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5656 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5800 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6120 --field-trial-handle=1904,i,15340471619960967125,1541862135079182828,131072 /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\OrcusRAT-main\OrcusRAT-main\Orcus.Administration.exe

"C:\Users\Admin\Downloads\OrcusRAT-main\OrcusRAT-main\Orcus.Administration.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.179.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.21:443 collector.github.com tcp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 6.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
GB 142.250.179.234:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.5:443 api.github.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 5.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
DE 140.82.121.9:443 codeload.github.com tcp
US 8.8.8.8:53 9.121.82.140.in-addr.arpa udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 collector.exceptionless.io udp
US 52.149.199.118:443 collector.exceptionless.io tcp
US 8.8.8.8:53 118.199.149.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 orcus.pw udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
N/A 192.168.10.8:8000 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 206.191.110.104.in-addr.arpa udp

Files

memory/4236-0-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4236-1-0x0000000000010000-0x000000000104E000-memory.dmp

memory/4236-2-0x00000000747D0000-0x0000000074F80000-memory.dmp

\??\pipe\crashpad_436_DEJKVHGPFKOOXGYM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 514ce401ec9402ed4f618b3b31156cc5
SHA1 c40537c77dd1108100d6610546597fc646e220ed
SHA256 3e5a14aa4b35109e611a02a1d221e8a31a38fa8b0e4e45e56aed29a46f9c76c8
SHA512 cd224f12c77c2029084b2c00c49b88dab32cbb3ff452de566d982e69869bff4140d38899c5260aa04880fe5915ff29d6850000cb36a40143d08edbbbc244b305

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 50bcf99c4cf3d187743cfadbeb77d932
SHA1 23e7320606d0751dc170845ffa0dac7e8a66afec
SHA256 8f39b4fa733e8901d06275e91d466c9790d6e79df84126028f67eb47f25bccf3
SHA512 ecb6a4b8036c57999be9d4a7992f6a4ca6fc5dbb0bf4b13bb1b9fbd2585906b9907d29c6b7b0e0fd75bbcc180a96472752ab4ee4c79bbc6448e824095520ceac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1b86634f529d009f3c035ac1f025a521
SHA1 32da4425d98a918496bbc7a25990565669eb76eb
SHA256 ac699f8e162f49f19004fff27b8f70c0c8444278e6e1ddfcaa945726bd16e90a
SHA512 be3db86fa9f29f40797a04da27d1b9a1fe22d31237831cb7abe0b1656bcff7edc721b9a92016ecaf5527c268aac8048b7577b27f24bb034015a9edb9ab2dfbac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 78914c0fe2259ed95c3c1fce3e745d2f
SHA1 974d498d25edc20981af7525709cac3f77cb72a1
SHA256 46cce67115b25970e9d7746d088027dd949ffa33519f38a5ed36ca6ffad7f3f9
SHA512 dc2d7eec0ed46b1eda7f60222a2ee4f84802189fff407bf9cf6673e9579306c48e98aa1f124332d01631f04e8b47ad506fc06e5db0a088ccafd49c1a7bd6d239

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9539a5fbf5e47bbebad00be67a1eefa5
SHA1 4e1647565d14b099ff3c4ad3db7614364af79c95
SHA256 9299c7b34e5378f717f62c3e0231a4316615fa6b75a162ed66bc4899528c7af5
SHA512 0643a722c0df38b570e084de0319544e1945aa0cd6b7bb41802d94491c30c5749c7879bc67fc3a0a597a16c99e8e0690e4732dff8ce0eef68c737c89d8735d05

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9a9d3eff19e8079a48aa322ee78da6a6
SHA1 8d7a6ee0a254df4831faa15839e0bec7ff003911
SHA256 8350a145be72a88513d56ed2d6631e4387b0f854becd2868505bda598507c2c8
SHA512 24a2d6178d517164b891b0139c7c2305ba797b2e3effab3a0cba92a3dc3ce6c54d6f223febfcc193a5d6e58362b2675cc35fcffd940039c55a8ad05555571a6b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 69866359f341ee1ae4c4eba3847fdac3
SHA1 fdeb58e5a8ccbf94efb3c6b1cadf1eb384d47c66
SHA256 604096ba439189ebd999d9e53e2fc03dbe3cbcaf5858a204cf88d0e48357a97d
SHA512 f893b33481b5fd7a5094597c4a3f8dba3aab26ce522830312c67cab5f5c916fabfc8acc3c416f079eec648069bc2cb42d32efba4f3a43f9dece5143985be0d31

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4a550b8761e9db3cdea547b8f4eeb138
SHA1 e78472a7e4e5bbef9d12345ea278c628f112e6f9
SHA256 3313be60682c4b3370bc0cbd5d1ff4c6fb902b5b62ea25d01d137345362c4bb6
SHA512 08f2d0106af336f4be8de7a035ce4a61ef40ae6158dce14cf8aba488e3baf25719ee6520a36edd19ab4192246e464136116e7eff5dff2a741d31c59a8b8021b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7cbe9e6660ada6195fd4d293a7838a69
SHA1 74fae2999e4f058a34a28ca2440b16443b15613a
SHA256 a38d73257850b5d2c185f63962a667344fa939362646c2839bbf89f788f422e5
SHA512 7d9f3205469bb6d68f3478a1e9bc773caf1a5bf4add05aceb14af2b3a57568556a863746da4a22ed030378e26ecff972cf893c5fec511d00ae6aa8afb1c10033

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a982dabf1da541de6d83bbffb84702c3
SHA1 bd949903c9d9d2df351d6dc383945c68019552ef
SHA256 6497b02da53586ad822ccd239d3ff2bd543ab31a1b19432ca26e0ddaa934b4c8
SHA512 a073b3a9e1bdaea3b1776f74fb0b9d8d073fc89d1a6297ce7aa2adc832aeefae4dbebf3a5c20f3d49ae8cbd352772163ad8e25a748e7a60349cf8906af1f1f15

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 56f670b00984c08780aa14af8e2e9cd3
SHA1 016c6060cc0d9529d378c2eabc5f41916f5c3baa
SHA256 54c20451b4fbf59cc57e879e80b4dafd9982dcecd0f6fcaba3b05adfd505348b
SHA512 ccd01a746900fb0465525279ad1d58ebd92f4f4e986943243f5c87b73ecfff253a0ea94bcd9a286dedd6432bd6b9f25e389cfa5912d3d8c012829dc3538caac4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 df181d68062db32f43678892d0f3324f
SHA1 944d84728b08f284efe77a9f5132b03e58fda683
SHA256 cefddd47c67997b2afc457f2492e1355e88da7d590835f3036095aa28b2c0431
SHA512 662beaa84d7483128b61717e64c8a16002ba3d6607505470369031b23ad7dc2b49e61766aa8e68e425cebaed69f988f3eac755846cf0f47703c65abfd13ee6b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

MD5 657ed1b9ac0c74717ea560e6c23eae3e
SHA1 6d20c145f3aff13693c61aaac2efbc93066476ef
SHA256 ff95275ab9f5eadda334244325d601245c05592144758c1015d67554af125570
SHA512 60b6682071ade61ae76eed2fe8fa702963c04261bd179c29eed391184d40dc376136d3346b3809b05c44fb59f31b0e9ab95f1e6b19e735234d1f0613720e532f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

MD5 4b4947c20d0989be322a003596b94bdc
SHA1 f24db7a83eb52ecbd99c35c2af513e85a5a06dda
SHA256 96f697d16fbe496e4575cd5f655c0edb07b3f737c2f03de8c9dda54e635b3180
SHA512 2a3443e18051b7c830517143482bf6bffd54725935e37ee58d6464fac52d3ce29c6a85fc842b306feaa49e424ba6086942fc3f0fea8bb28e7495070a38ce2e59

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

MD5 fa938d13f992578fab849f63ad6758d0
SHA1 35f74de235395966c309187b2256270518a13d15
SHA256 c83bea6acdb959657946efaa2cc6a971506bf4b56ecb0c4951e89193b78caa95
SHA512 6d665cbc05fc826e83111014d0258867ccaee6e05d3f7457c78a8843e8c88c6d8c4175979b37e7795e22b6c5b0a4aaa161e8948c1262bbad4422870d0788e0d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

MD5 5d04a5aed02ac5a2f8a4269a6c2570b5
SHA1 727f0be60a1bd0abfe72a018e5741204006d5f03
SHA256 7d8edeba0329989214034e43d9b5c089bb187c2082dd29a811cc766ad998c258
SHA512 88bcd58efd108cacc3818994606e9fd58f0fdf59e4a0beec4be6081f49d0c236c08168ae9a8b975e7a8955068d4fa2765d68506e5a042bf2a962393aedcf1961

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 afde709ff0a57970f521d0186c1b7991
SHA1 bf06117dd1b08e3e0b735c2c17865cc8897354ca
SHA256 e2047aa86b218156a9f09c58d4cc48a8637bee8184216398a1c0c04d30b79672
SHA512 b8537783f33b0d9afcd046f832355d3bc1a8dd439c38ee7b4737f455a8fdb73320760edcd6f9ce823b54593b7c06bee01a6a476a799d9026cf8c8268a707a453

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6619427fb9a26425d6f0d851b25a20af
SHA1 a3f2501a6b4d2ec50b8a94607cf753b4e9d73b9b
SHA256 cab85d63f756e1cb34d353951f3ce626199196517287ee6263d47d9751e95048
SHA512 7ca60a1de0d6a0b2313b34ca773b2fcc8ec0258b03e4750292e5ef6d9b5ae298e6ca1d595a6f8ef90fe028def0a5c6009286a6de848db5673a4f67b60ec87f36

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cfe62f1587a33baf4f20fda6f9cc2517
SHA1 919b126bcc40b4791a2a8ede49d6e705bfe7162d
SHA256 07f50fc0f4153062fed2e537d9f31c2d84637ead127b768bc00c61b3b211e882
SHA512 600b8fe801007142e76207cf160bc42b1b543aa3d8213e838cfff829874a8f4ab1a0c962f267beb5399cc5cfc76e0e37f9a3547ac2116aa3b5fdf43793365ce3

C:\Users\Admin\Downloads\OrcusRAT-main.zip.crdownload

MD5 4ebe8621171038676189cbc5e7053d9f
SHA1 2e3a3b97163d1e8af1e41c36f9495062fb4b1934
SHA256 3786d314f4e3906400b24657ed15fca047576eba9cf17630246db69503fdbea3
SHA512 e0091ae9f3acddc7e8d11b89a60debc3dab57b8af57bde4a3f538b2283eae398a1adec8224bf5fd2d0be61be015fc2a79c49b06cf786945073e1cc87d66be356

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ad336bf97325a6bc4bb3ca059e0a0d77
SHA1 29f12d00a65fa6006315a6733c332433ecd0e2b6
SHA256 b9eb9b8f10feb70e8a33a3dfe9958fc26cafcf64461295d8dcc79accc84844ac
SHA512 02c3e7bee458aebeb90ffc3c195719c2cadcc1f04f524f1d6b14bb9bfba2680546abdbec028bb1d50eeb40c3df3d0a0742de74b9466705c415df9da80b1e06e9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 4736595714878b47e4db7893074be245
SHA1 74d3a7c1b22538a37d7cf53a99ce3fabe1880547
SHA256 ef1caedbc9229811c2d39843ab2b0efd7a1a593c10157415351c6dc0913a3114
SHA512 5fec5a7126582d3b272b022c2eb10af1f04c1901e8ad6d4d528234a5e816723f18782085f7a16f046f1ada5ab4eb70ad4bbddfaf2e670899d5b0b2ce210cb1fe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a0716.TMP

MD5 5d0d8c91f3b8a6f56e7bdf60133035ae
SHA1 7d8f5c7f50a4c04ac920d070f4d039cfadec6ac9
SHA256 4214d7f637962edb7a0a88f096786e7842b6928e042d68283d3aa8607798d467
SHA512 565f4a6a4db1981fee4ad6e3373684a7abceb8612b87ff9e824bfaf50e28032b32b3df0f5b7095c896454189cb0c0eac98e99f5835b4dda4779839b5a5416e7b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 82ff40a5c3d4df8f5433ffe7814d828f
SHA1 45ac5302802c95e816e10c62a9f511870f6aa352
SHA256 aaa339ac20cecf42a7c5c0f91d88df1e87312b205662b1d2b576fb433902ed66
SHA512 78100ccc30fa800e5c10a08d538a8b4f772dc9315d3792339ad1d7a323024f6ee489b913a02c417a2b591124f2d01c5d32ba00e67b65e43a7a02b25e72baa3d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 99814a14929d7917a32a1f5caac11b5a
SHA1 486bce95176c259393b498156ee51423932f3971
SHA256 7f485d5f76d994cc579f6e87ac500d3c8784ac237c6e68164424397815c58f15
SHA512 c342db7160bc15beb02a82c953248bcad3d278c5f7a68a54b282b449763806c7ab4fa958aa793264c9d002d80046a96025eb268f9b25e1161ecb2897889ba7ce

memory/376-598-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/376-600-0x0000000006EB0000-0x0000000007146000-memory.dmp

memory/376-599-0x0000000006860000-0x0000000006910000-memory.dmp

memory/376-601-0x0000000006C70000-0x0000000006C80000-memory.dmp

memory/376-602-0x0000000007150000-0x000000000723C000-memory.dmp

memory/376-603-0x0000000007350000-0x0000000007452000-memory.dmp

memory/376-604-0x0000000006E10000-0x0000000006E2C000-memory.dmp

memory/376-605-0x0000000006E30000-0x0000000006E4C000-memory.dmp

memory/376-606-0x0000000006E00000-0x0000000006E06000-memory.dmp

memory/376-607-0x000000000CF00000-0x000000000CF18000-memory.dmp

memory/376-608-0x000000000D110000-0x000000000D122000-memory.dmp

memory/376-609-0x000000000D2C0000-0x000000000D346000-memory.dmp

memory/376-610-0x000000000D280000-0x000000000D2A2000-memory.dmp

memory/376-611-0x000000000D350000-0x000000000D6A4000-memory.dmp

memory/376-612-0x0000000074730000-0x0000000074EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3a3f459521d6d2f89a0146da02e077d0
SHA1 792b4cafd3c4f229bec8d96e58efa815902991e3
SHA256 073d86c8707cbfc9ec89a9e400b7dc5cb7a8808fd0579ff689d6d1e4748c4f60
SHA512 e9b2cf21235c3e80973955a9f5ed337ef7655067ba7eb01b617b028852b071d2b1c24c4595f8f08ac0a63f0230e050c171ce4b119515f3ed47015c5b4e5e88a1

memory/376-622-0x0000000006E60000-0x0000000006E6E000-memory.dmp

memory/376-623-0x0000000010B60000-0x0000000010BE8000-memory.dmp

memory/376-624-0x0000000010170000-0x000000001017A000-memory.dmp

memory/376-625-0x00000000102F0000-0x0000000010302000-memory.dmp

memory/376-626-0x0000000011570000-0x0000000011622000-memory.dmp

memory/376-627-0x0000000006C70000-0x0000000006C80000-memory.dmp

memory/376-628-0x0000000006E80000-0x0000000006E88000-memory.dmp

memory/376-629-0x0000000010180000-0x000000001018A000-memory.dmp

memory/376-630-0x0000000010330000-0x0000000010338000-memory.dmp

memory/376-631-0x0000000008590000-0x00000000088D2000-memory.dmp

memory/376-632-0x00000000088D0000-0x00000000088D8000-memory.dmp

memory/376-633-0x0000000008920000-0x000000000892A000-memory.dmp

memory/376-634-0x0000000008D30000-0x0000000008D44000-memory.dmp

memory/376-635-0x0000000008D60000-0x0000000008D72000-memory.dmp

memory/376-636-0x0000000008D80000-0x0000000008DE4000-memory.dmp

memory/376-638-0x0000000008DF0000-0x0000000008DFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\opus.dll

MD5 1fc04b8bb4896745163df806695ee193
SHA1 39174ce2fca9a3e86bb7a5686037bc42f2572de1
SHA256 3f2b2fd440fdd84288dadfc63e37a4bc7ea0aae26889ab0d4a5ef6148f44ce14
SHA512 3ff18bdd364f27e54ffbf2d1af53e3500ec57e7e8fa14185f7fb1ef6639d69ac6253543b9e2155ade45ca5bcd567e94334f1ee7ad0a7ff28194168dc49883261

memory/376-637-0x0000000008E80000-0x0000000008F12000-memory.dmp

memory/376-644-0x0000000008E00000-0x0000000008E12000-memory.dmp

memory/376-645-0x0000000008E10000-0x0000000008E18000-memory.dmp

memory/376-646-0x0000000008F20000-0x0000000008F6A000-memory.dmp

memory/376-647-0x0000000008E30000-0x0000000008E52000-memory.dmp

memory/376-648-0x0000000008E50000-0x0000000008E62000-memory.dmp

memory/376-649-0x00000000097E0000-0x0000000009D84000-memory.dmp

memory/376-650-0x0000000009270000-0x0000000009278000-memory.dmp

memory/376-651-0x00000000092B0000-0x00000000092B8000-memory.dmp

memory/376-653-0x0000000009DD0000-0x0000000009DE0000-memory.dmp

memory/376-652-0x0000000009E00000-0x0000000009E4C000-memory.dmp

memory/376-654-0x000000000BF80000-0x000000000BF88000-memory.dmp

memory/376-655-0x0000000006C70000-0x0000000006C80000-memory.dmp

memory/376-656-0x000000000C080000-0x000000000C088000-memory.dmp

memory/376-657-0x000000000C750000-0x000000000C788000-memory.dmp

memory/376-658-0x000000000C720000-0x000000000C72E000-memory.dmp

memory/376-659-0x0000000006C70000-0x0000000006C80000-memory.dmp

memory/376-660-0x0000000006C70000-0x0000000006C80000-memory.dmp

memory/376-661-0x0000000007550000-0x0000000007560000-memory.dmp

memory/376-662-0x0000000006C70000-0x0000000006C80000-memory.dmp

memory/376-665-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/4988-666-0x00000120C3940000-0x00000120C3950000-memory.dmp

memory/4988-682-0x00000120C3A40000-0x00000120C3A50000-memory.dmp

memory/4988-698-0x00000120CBD80000-0x00000120CBD81000-memory.dmp

memory/4988-700-0x00000120CBDB0000-0x00000120CBDB1000-memory.dmp

memory/4988-701-0x00000120CBDB0000-0x00000120CBDB1000-memory.dmp

memory/4988-702-0x00000120CBEC0000-0x00000120CBEC1000-memory.dmp