Malware Analysis Report

2024-11-13 18:32

Sample ID 241107-15syzsymg1
Target https://cdn.discordapp.com/attachments/1226280722579456000/1226280866872033340/SorillusRAT.rar?ex=672e810d&is=672d2f8d&hm=99cf9f0863a61ebbfea5c2708b3b0ab730b051f54a2969a83d474759c0d7c6fe&
Tags
adwind discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://cdn.discordapp.com/attachments/1226280722579456000/1226280866872033340/SorillusRAT.rar?ex=672e810d&is=672d2f8d&hm=99cf9f0863a61ebbfea5c2708b3b0ab730b051f54a2969a83d474759c0d7c6fe& was found to be: Known bad.

Malicious Activity Summary

adwind discovery trojan

Class file contains resources related to AdWind

AdWind

Adwind family

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Browser Information Discovery

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:14

Reported

2024-11-07 22:16

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

100s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1226280722579456000/1226280866872033340/SorillusRAT.rar?ex=672e810d&is=672d2f8d&hm=99cf9f0863a61ebbfea5c2708b3b0ab730b051f54a2969a83d474759c0d7c6fe&

Signatures

AdWind

trojan adwind

Adwind family

adwind

Class file contains resources related to AdWind

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 1860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4160 wrote to memory of 4600 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1226280722579456000/1226280866872033340/SorillusRAT.rar?ex=672e810d&is=672d2f8d&hm=99cf9f0863a61ebbfea5c2708b3b0ab730b051f54a2969a83d474759c0d7c6fe&

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1ad246f8,0x7ffd1ad24708,0x7ffd1ad24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SorillusRAT\" -ad -an -ai#7zMap21634:84:7zEvent9689

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\SorillusRAT\Sorillus\start.bat" "

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe

jre1.8.0_361\bin\java.exe -jar -noverify Sorillus.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.170.42.147:443 checkip.amazonaws.com tcp
US 8.8.8.8:53 147.42.170.54.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e443ee4336fcf13c698b8ab5f3c173d0
SHA1 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA256 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512 cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

\??\pipe\LOCAL\crashpad_4160_CIQSJBXEPQVATJCS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56a4f78e21616a6e19da57228569489b
SHA1 21bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256 d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512 c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 505ece528c808e3b3e0f12c766507734
SHA1 e5803bd32bb5daf2d58c95a8bfdacdd255e6bc77
SHA256 ce6c29dfab211194db59e86c7e594d755c0ae60f7168e62e8379bcbc256e553b
SHA512 4b99151935836c46ed1a611120b1debb9e57656ef49a2aa64cd12772efadbddaab4973aa8c5beb6f96621ebb1f8516067569c4031ab72086c1da13261693e507

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8fbe5c580ba4ae5cee86c5c244b3a527
SHA1 4d3532f5e585bb1296bb505519b12863c6cc17a3
SHA256 3f8de16d35db56d96b98bd41c41cf7b2afef877e5fa69a193e75b9c57d6a7227
SHA512 9a9dd08a480c56c1e9e4028154dfa9ccdc7c6141c5772847ac4ff4b4ea6202242e338f01f2e2a704f22d92fe5f77ee89721cbd97012fd04f01c50c15028babac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 26f59622ce0f834c8bf2f138248aece3
SHA1 c0c7fa3b9bf9ab61ab5a32ab0588e5aa315904f4
SHA256 406212e95bc5c80aa4d672506a554a88a4c57f5bd511d118055d4a4c94e495d3
SHA512 ced9fa266334e512d65cebd0989d4865d87f5a3e9c00bffae8c203889a9f3d2f3f549362be61b5d007527896a77141d6da6aa0d0da4e54c06b504342c5a4a43f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f13de8bfbb2490298f347b776a793e44
SHA1 13dc53ff649b9c814d2b17481d2c5d7675d95ba9
SHA256 f4fd1e57c232a4f46bfd9b7a97907b28dc9786c62883580aa4f4e6e260745c47
SHA512 24df003b9c9adde7a89a3c8992f7fa5f4363113262468fefb3881abb54fb4e7c2d1b7ffc645f5784f166b22f5df03ba8d4bbae559ccbd3e3b59ec83cc8571d2d

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\start.bat

MD5 b7e19bf7ee3ff739bb7977b9b9655c44
SHA1 8d0c93c1a8640ba323ef3005f84658d6ef2fcb8d
SHA256 bbff9e1199f9720bd6f14697d367aefe2f296da6865ec739e9acfa0790d973b0
SHA512 d754a41f895e708c7086029a33421f2e87282339b55654062a26eeb9ea0ceda6dbdd6ae7a26589f6289a9547ae3c21c816e39b357da2ee5877fef1e48331300b

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe

MD5 47b34557cbf069e0ad9807305cb5c36a
SHA1 58abfbefc486427175b15e69e8e8f4e346318c34
SHA256 cabcfcf1aebf926bbe03b2aded9e7bbb57f4e10600578a6f2acafbf83b7423d4
SHA512 f9354ec19c3bad2a3a9e95211a306e54ebe559127d8ae660ce75c88839afd558821a0a858366db8820517cb12f7fe0056bb5c09199c1fe1a9083e299b02a148d

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\server\jvm.dll

MD5 a5b5e313919826735b73731252a2bc2e
SHA1 090054f0aeeaaac570130ef5a03c26970cdb050c
SHA256 86765f3558ffbb2cf28fb683ee17c288967e636b5cb4fe0422ade39591f6abf4
SHA512 2e0199624f91f9c952ea4fb81a01096febe8dde6fba85f66e7978c98ba749da3cd53cb6d986260e357c19a1d3b5411d6716548ef57e31ec75d55f4d3a3420c3f

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\msvcp140.dll

MD5 c1b066f9e3e2f3a6785161a8c7e0346a
SHA1 8b3b943e79c40bc81fdac1e038a276d034bbe812
SHA256 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA512 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\vcruntime140.dll

MD5 1453290db80241683288f33e6dd5e80e
SHA1 29fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA256 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA512 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.dll

MD5 db081a9968bb0c37a57725cdb66a0c7b
SHA1 d5fed172d82111d1f3bcb46ab3bd8b412f3ee003
SHA256 5b9b01f1ec06ad559285201cf0907e1c31473f6fb91aa09813dd8f076f94afe3
SHA512 8a3717be2bdc1d2e628a069a61ac5b504467c52c7b52496c14050cd0fbc3e1023c791ca8b5c3270579e1cc725a8a0cff62c427dc1c25c2ec74725d1dacc621d5

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jfr.jar

MD5 18c5aec1e008f781bf74707662920000
SHA1 c29c11cda5b867b68cba1fa7cb331d54a66b3f56
SHA256 e9eab8ec4712142a3ed9ac833d853e144043699c1712986736f3667a9267c11b
SHA512 9988b510d7e036ef41673edd8e38e2f72b695741da3ef63678b808b5e10a76951d016e27cdd23857de0ed0f3b44be8f7fb3a141021b543f104f2a214e53ca74d

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\charsets.jar

MD5 82ade56ed7fa67287198802746ee6045
SHA1 2c5ad0a04bd0fae259cf29af346379284c684d42
SHA256 c89895405e63110d69bb37178f0650bf2a4a489ab9e98da613464c61c475b58c
SHA512 cd3c2180e185d1fce354ede366845668ab165ad0ebf7fd9cd9fbb3723ab64c3515c30e772e1577a747468e530d677c7955b41528d39e6d3c8c988b11604e470d

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jce.jar

MD5 1f4d4fc6b33c30c5782c66b80d92c4f9
SHA1 194df32fb23b470dae4929605d18abd041c743c6
SHA256 81b8de0e148ed3601cf5f1bdf2787c5b15213d842bc537af9ede9635d692b904
SHA512 dfde7e03fc106b785887f2a409b3528c5862663f188c95f6a95c739bdfcc8c6205c03b739de1b259e9a8a0360aa4e10e8d4bce1a57445797a214160b8d98a085

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jsse.jar

MD5 f095a5ac04775e1093d54822460cc5a7
SHA1 2e0f0ec528c41b437126c506a91fe1ad5e699865
SHA256 784b8df88387ee27383d6db4e184b169a21cb4b8bcb0d8395a7b1ac2b128108a
SHA512 c0b5ca94ead3dffd33e19a2d757b2b653867b4f539a143ef17baeef1015c3845aba4f0666ef1d0c7ce02d156ce826b9c324c8159983a71d19d60415d60e25d36

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\resources.jar

MD5 0fdcdf2b521c8ffba3fcae32a684358e
SHA1 45a3ae43334b1a0f46d76599d3926c40fa790965
SHA256 2189d10490922562be379da742eedc5e77cac61a6d2a484a3ed4693965dfe290
SHA512 1a1489faa7903bc24d4cc3fbd0ee80e79602a39ea9530f10075a52460e6100c807dbafb17e4b1a7997c23cbe3906808291be7718e6525a79a295e1ddc8ed9eda

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\zip.dll

MD5 7c7a8adce66eeb67a96ca617c8286d72
SHA1 da1f100637f0b94aaea4e3999ef96a32a63bfc2b
SHA256 d15be64cc05ae14db69b5a3558cd57767eda91e708c74d3dccdc4958c42cb5d9
SHA512 00d3c1145b8c8ea246f456000c2fcfe1e978d148ad69ddabdf9e5f332db4e44025211916c6452b5030f8326d523d6e72de8aebd9e41d83afccb8713e88782f31

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\verify.dll

MD5 c15088054d639475e51b88251369c226
SHA1 8849a9ee53e6bc7d1618103b674a6f481b72f3aa
SHA256 a7e7890ec2e238b3108fe2d9b4796898b2fff30ce07957f60689975d7460098c
SHA512 81ae70caf0304c63adadc3437e592ea9540db59ac7bd7417b769b5702a2aa012bec79aab8ce01187ebbd78555b7824fc4434a113dd9be5b667ce693b293122c4

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\amd64\jvm.cfg

MD5 499f2a4e0a25a41c1ff80df2d073e4fd
SHA1 e2469cbe07e92d817637be4e889ebb74c3c46253
SHA256 80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb
SHA512 7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\Sorillus.jar

MD5 f9119b4bbb55ce59f43113c71cd177f8
SHA1 1605b453fa74091f92f51691a3dd378c1b67f3fa
SHA256 3eb57cd3c204ba1741e4500ef2566f524b10f4da23b3831f0855abcea0987649
SHA512 b166ce950e2c2bd2f23fe9063656ffd31da66dbd699419a71479d52654bf4113bddd8f51392577470a6f1342cc7546f5474d0765a209ff3b01ae65074d04a650

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\ext\meta-index

MD5 005faac2118450bfcd46ae414da5f0e5
SHA1 9f5c887e0505e1bb06bd1fc7975a3219709d061d
SHA256 f0bce718f8d2b38247ce0ac814a1470c826602f4251d86369c2359ff60676bd8
SHA512 8b618c74b359ab3c9d3c8a4864f8e48fe4054514a396352a829a84c9b843a2028c6c31eb53e857e03c803294e05f69c5bf586e261312264e7607b2efd14f78a9

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\ext\jfxrt.jar

MD5 671df034c39d335d5e9de4da7cf70e97
SHA1 184aa46308c1af192f119b6cae48c6a567175592
SHA256 0fb07fad0f05706dcdb487ef3fa8adfc97e1a47792ee9cb7af359c77a9393542
SHA512 7512b351ef1429bb722318c415cbcd5459dc86678b11634e3dd8e83394e59a48551a817842d73107546ffdfe05eb06f7ab4ce6a853ce266f3503885d4517a8ed

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll

MD5 3bf4406de02aa148f460e5d709f4f67d
SHA1 89b28107c39bb216da00507ffd8adb7838d883f6
SHA256 349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e
SHA512 5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-handle-l1-1-0.dll

MD5 bbafa10627af6dfae5ed6e4aeae57b2a
SHA1 3094832b393416f212db9107add80a6e93a37947
SHA256 c78a1217f8dcb157d1a66b80348da48ebdbbedcea1d487fc393191c05aad476d
SHA512 d5fcba2314ffe7ff6e8b350d65a2cdd99ca95ea36b71b861733bc1ed6b6bb4d85d4b1c4c4de2769fbf90d4100b343c250347d9ed1425f4a6c3fe6a20aed01f17

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-2-0.dll

MD5 35bc1f1c6fbccec7eb8819178ef67664
SHA1 bbcad0148ff008e984a75937aaddf1ef6fda5e0c
SHA256 7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7
SHA512 9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll

MD5 580d9ea2308fc2d2d2054a79ea63227c
SHA1 04b3f21cbba6d59a61cd839ae3192ea111856f65
SHA256 7cb0396229c3da434482a5ef929d3a2c392791712242c9693f06baa78948ef66
SHA512 97c1d3f4f9add03f21c6b3517e1d88d1bf9a8733d7bdca1aecba9e238d58ff35780c4d865461cc7cd29e9480b3b3b60864abb664dcdc6f691383d0b281c33369

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 94788729c9e7b9c888f4e323a27ab548
SHA1 b0ba0c4cf1d8b2b94532aa1880310f28e87756ec
SHA256 accdd7455fb6d02fe298b987ad412e00d0b8e6f5fb10b52826367e7358ae1187
SHA512 ab65495b1d0dd261f2669e04dc18a8da8f837b9ac622fc69fde271ff5e6aa958b1544edd8988f017d3dd83454756812c927a7702b1ed71247e506530a11f21c6

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll

MD5 b0e0678ddc403effc7cdc69ae6d641fb
SHA1 c1a4ce4ded47740d3518cd1ff9e9ce277d959335
SHA256 45e48320abe6e3c6079f3f6b84636920a367989a88f9ba6847f88c210d972cf1
SHA512 2badf761a0614d09a60d0abb6289ebcbfa3bf69425640eb8494571afd569c8695ae20130aac0e1025e8739d76a9bff2efc9b4358b49efe162b2773be9c3e2ad4

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-datetime-l1-1-0.dll

MD5 ac51e3459e8fce2a646a6ad4a2e220b9
SHA1 60cf810b7ad8f460d0b8783ce5e5bbcd61c82f1a
SHA256 77577f35d3a61217ea70f21398e178f8749455689db52a2b35a85f9b54c79638
SHA512 6239240d4f4fa64fc771370fb25a16269f91a59a81a99a6a021b8f57ca93d6bb3b3fcecc8dede0ef7914652a2c85d84d774f13a4143536a3f986487a776a2eae

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-2-0.dll

MD5 7676560d0e9bc1ee9502d2f920d2892f
SHA1 4a7a7a99900e41ff8a359ca85949acd828ddb068
SHA256 00942431c2d3193061c7f4dc340e8446bfdbf792a7489f60349299dff689c2f9
SHA512 f1e8db9ad44cd1aa991b9ed0e000c58978eb60b3b7d9908b6eb78e8146e9e12590b0014fc4a97bc490ffe378c0bf59a6e02109bfd8a01c3b6d0d653a5b612d15

C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-1-0.dll

MD5 919e653868a3d9f0c9865941573025df
SHA1 eff2d4ff97e2b8d7ed0e456cb53b74199118a2e2
SHA256 2afbfa1d77969d0f4cee4547870355498d5c1da81d241e09556d0bd1d6230f8c
SHA512 6aec9d7767eb82ebc893ebd97d499debff8da130817b6bb4bcb5eb5de1b074898f87db4f6c48b50052d4f8a027b3a707cad9d7ed5837a6dd9b53642b8a168932

memory/5876-721-0x00000219884E0000-0x00000219884E1000-memory.dmp

memory/5876-728-0x00000219884E0000-0x00000219884E1000-memory.dmp

memory/5876-774-0x00000219884E0000-0x00000219884E1000-memory.dmp

memory/5876-780-0x00000219884E0000-0x00000219884E1000-memory.dmp

memory/5876-809-0x00000219884E0000-0x00000219884E1000-memory.dmp

C:\Users\Admin\Sorillus\.tmp\+JXF5367482807448859469.tmp

MD5 de2d73ffb31b036a481049751970e2ca
SHA1 5c26b381aa54a3336729cbaf4281620e03c34873
SHA256 5afafd11dad40cc06023a6a5c1a6793b1cb55720314a18d4352879d6214b014e
SHA512 f19bda9d9f355dab1ae3846c5e3a6535e59c529d0efe6204dd54000f3e088cf94099a1ccab94c0fadf7631385b94ca8c667f76c0556066ea49f06b2ac1479adb

C:\Users\Admin\Sorillus\.tmp\+JXF617939151534158829.tmp

MD5 1bf71be111189e76987a4bb9b3115cb7
SHA1 40442c189568184b6e6c27a25d69f14d91b65039
SHA256 cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424
SHA512 cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

C:\Users\Admin\Sorillus\.tmp\+JXF7661311954204913049.tmp

MD5 8a36205bd9b83e03af0591a004bc97f4
SHA1 56c5c0d38bde4c1f1549dda43db37b09c608aad3
SHA256 4e147ab64b9fdf6d89d01f6b8c3ca0b3cddc59d608a8e2218f9a2504b5c98e14
SHA512 e96b43b0ca3fd7775d75a702f44cd1b0dfd325e1db317f7cba84efdf572571fe7594068f9132a937251aab8bd1f68783213677d4953aca197195fbe5db1f90d7

memory/5876-912-0x00000219884E0000-0x00000219884E1000-memory.dmp

C:\Users\Admin\Sorillus\.tmp\+JXF5726086351261884712.tmp

MD5 731484623dfcbf11c948feea896b83c8
SHA1 464d1c30e20128907d6f6d667a48a3213ac4df83
SHA256 a4d9acdd8e2bb188c832059a86636b4b26118d5965f0c08debd2b62c0d63c9a5
SHA512 5dacfce6e70eff4141f107cd47c0c50068205485a9977fe60933238e750de8a46acaf99eed8dd08d70de2266360315db6b247e8e943fa276023c5360be81e794

C:\Users\Admin\Sorillus\.tmp\+JXF2559237847049579609.tmp

MD5 629a55a7e793da068dc580d184cc0e31
SHA1 3564ed0b5363df5cf277c16e0c6bedc5a682217f
SHA256 e64e508b2aa2880f907e470c4550980ec4c0694d103a43f36150ac3f93189bee
SHA512 6c24c71bee7370939df8085fa70f1298cfa9be6d1b9567e2a12b9bb92872a45547cbabcf14a5d93a6d86cd77165eb262ba8530b988bf2c989fadb255c943df9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 094ab275342c45551894b7940ae9ad0d
SHA1 2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256 ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA512 19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

memory/5876-1101-0x00000219884E0000-0x00000219884E1000-memory.dmp

memory/5876-1150-0x00000219884E0000-0x00000219884E1000-memory.dmp

C:\Users\Admin\Sorillus\.tmp\dashboard.css4966526211844660312.tmp

MD5 6c80cc46e79e122ffd3548fe8cb29b2c
SHA1 84b5047e39ba1bdbfa6d371baef4ef303a8fc7c3
SHA256 1489a290e7427c90c84ca7b77cd2d80df3dd9d8bcd522696ff94b60e5a03954b
SHA512 cdb642b4368cd300c77bf7ab49474108a0f53abaca1247709ef0b9932b9e79e88c6a3db64bae9183d9af8433dd73e058582729be92358eaa5a9538cf0dbb4404

C:\Users\Admin\Sorillus\.tmp\clients.css6448666254406027915.tmp

MD5 73170a0b32597f7f2394efda2fb0052c
SHA1 23b2b34660feedcfae760096debd44515c4fb580
SHA256 8bab80ef1af4a46664abf487b23a3cb3ba2fd083fc06b820089cbd9644a20b78
SHA512 ddc9e89df5a345c5d8d3b392aa9671c86afc2cb8ec0885430eab286ee1420ca11dc565e1afc482957564b2a5456d48a59d6a1a7e6ecff92f56abc8366fbc0719