Analysis Overview
Threat Level: Known bad
The file https://cdn.discordapp.com/attachments/1226280722579456000/1226280866872033340/SorillusRAT.rar?ex=672e810d&is=672d2f8d&hm=99cf9f0863a61ebbfea5c2708b3b0ab730b051f54a2969a83d474759c0d7c6fe& was found to be: Known bad.
Malicious Activity Summary
Class file contains resources related to AdWind
AdWind
Adwind family
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Browser Information Discovery
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 22:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 22:14
Reported
2024-11-07 22:16
Platform
win10v2004-20241007-en
Max time kernel
113s
Max time network
100s
Command Line
Signatures
AdWind
Adwind family
Class file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1226280722579456000/1226280866872033340/SorillusRAT.rar?ex=672e810d&is=672d2f8d&hm=99cf9f0863a61ebbfea5c2708b3b0ab730b051f54a2969a83d474759c0d7c6fe&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1ad246f8,0x7ffd1ad24708,0x7ffd1ad24718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,18079744260224593605,11279759784726684409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SorillusRAT\" -ad -an -ai#7zMap21634:84:7zEvent9689
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\SorillusRAT\Sorillus\start.bat" "
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe
jre1.8.0_361\bin\java.exe -jar -noverify Sorillus.jar
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 54.170.42.147:443 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 147.42.170.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e443ee4336fcf13c698b8ab5f3c173d0 |
| SHA1 | 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a |
| SHA256 | 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b |
| SHA512 | cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd |
\??\pipe\LOCAL\crashpad_4160_CIQSJBXEPQVATJCS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56a4f78e21616a6e19da57228569489b |
| SHA1 | 21bfabbfc294d5f2aa1da825c5590d760483bc76 |
| SHA256 | d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb |
| SHA512 | c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 505ece528c808e3b3e0f12c766507734 |
| SHA1 | e5803bd32bb5daf2d58c95a8bfdacdd255e6bc77 |
| SHA256 | ce6c29dfab211194db59e86c7e594d755c0ae60f7168e62e8379bcbc256e553b |
| SHA512 | 4b99151935836c46ed1a611120b1debb9e57656ef49a2aa64cd12772efadbddaab4973aa8c5beb6f96621ebb1f8516067569c4031ab72086c1da13261693e507 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8fbe5c580ba4ae5cee86c5c244b3a527 |
| SHA1 | 4d3532f5e585bb1296bb505519b12863c6cc17a3 |
| SHA256 | 3f8de16d35db56d96b98bd41c41cf7b2afef877e5fa69a193e75b9c57d6a7227 |
| SHA512 | 9a9dd08a480c56c1e9e4028154dfa9ccdc7c6141c5772847ac4ff4b4ea6202242e338f01f2e2a704f22d92fe5f77ee89721cbd97012fd04f01c50c15028babac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 26f59622ce0f834c8bf2f138248aece3 |
| SHA1 | c0c7fa3b9bf9ab61ab5a32ab0588e5aa315904f4 |
| SHA256 | 406212e95bc5c80aa4d672506a554a88a4c57f5bd511d118055d4a4c94e495d3 |
| SHA512 | ced9fa266334e512d65cebd0989d4865d87f5a3e9c00bffae8c203889a9f3d2f3f549362be61b5d007527896a77141d6da6aa0d0da4e54c06b504342c5a4a43f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f13de8bfbb2490298f347b776a793e44 |
| SHA1 | 13dc53ff649b9c814d2b17481d2c5d7675d95ba9 |
| SHA256 | f4fd1e57c232a4f46bfd9b7a97907b28dc9786c62883580aa4f4e6e260745c47 |
| SHA512 | 24df003b9c9adde7a89a3c8992f7fa5f4363113262468fefb3881abb54fb4e7c2d1b7ffc645f5784f166b22f5df03ba8d4bbae559ccbd3e3b59ec83cc8571d2d |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\images\cursors\win32_LinkNoDrop32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\start.bat
| MD5 | b7e19bf7ee3ff739bb7977b9b9655c44 |
| SHA1 | 8d0c93c1a8640ba323ef3005f84658d6ef2fcb8d |
| SHA256 | bbff9e1199f9720bd6f14697d367aefe2f296da6865ec739e9acfa0790d973b0 |
| SHA512 | d754a41f895e708c7086029a33421f2e87282339b55654062a26eeb9ea0ceda6dbdd6ae7a26589f6289a9547ae3c21c816e39b357da2ee5877fef1e48331300b |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.exe
| MD5 | 47b34557cbf069e0ad9807305cb5c36a |
| SHA1 | 58abfbefc486427175b15e69e8e8f4e346318c34 |
| SHA256 | cabcfcf1aebf926bbe03b2aded9e7bbb57f4e10600578a6f2acafbf83b7423d4 |
| SHA512 | f9354ec19c3bad2a3a9e95211a306e54ebe559127d8ae660ce75c88839afd558821a0a858366db8820517cb12f7fe0056bb5c09199c1fe1a9083e299b02a148d |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\server\jvm.dll
| MD5 | a5b5e313919826735b73731252a2bc2e |
| SHA1 | 090054f0aeeaaac570130ef5a03c26970cdb050c |
| SHA256 | 86765f3558ffbb2cf28fb683ee17c288967e636b5cb4fe0422ade39591f6abf4 |
| SHA512 | 2e0199624f91f9c952ea4fb81a01096febe8dde6fba85f66e7978c98ba749da3cd53cb6d986260e357c19a1d3b5411d6716548ef57e31ec75d55f4d3a3420c3f |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\msvcp140.dll
| MD5 | c1b066f9e3e2f3a6785161a8c7e0346a |
| SHA1 | 8b3b943e79c40bc81fdac1e038a276d034bbe812 |
| SHA256 | 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd |
| SHA512 | 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\vcruntime140.dll
| MD5 | 1453290db80241683288f33e6dd5e80e |
| SHA1 | 29fb9af50458df43ef40bfc8f0f516d0c0a106fd |
| SHA256 | 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c |
| SHA512 | 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\java.dll
| MD5 | db081a9968bb0c37a57725cdb66a0c7b |
| SHA1 | d5fed172d82111d1f3bcb46ab3bd8b412f3ee003 |
| SHA256 | 5b9b01f1ec06ad559285201cf0907e1c31473f6fb91aa09813dd8f076f94afe3 |
| SHA512 | 8a3717be2bdc1d2e628a069a61ac5b504467c52c7b52496c14050cd0fbc3e1023c791ca8b5c3270579e1cc725a8a0cff62c427dc1c25c2ec74725d1dacc621d5 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\meta-index
| MD5 | 91aa6ea7320140f30379f758d626e59d |
| SHA1 | 3be2febe28723b1033ccdaa110eaf59bbd6d1f96 |
| SHA256 | 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4 |
| SHA512 | 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jfr.jar
| MD5 | 18c5aec1e008f781bf74707662920000 |
| SHA1 | c29c11cda5b867b68cba1fa7cb331d54a66b3f56 |
| SHA256 | e9eab8ec4712142a3ed9ac833d853e144043699c1712986736f3667a9267c11b |
| SHA512 | 9988b510d7e036ef41673edd8e38e2f72b695741da3ef63678b808b5e10a76951d016e27cdd23857de0ed0f3b44be8f7fb3a141021b543f104f2a214e53ca74d |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\charsets.jar
| MD5 | 82ade56ed7fa67287198802746ee6045 |
| SHA1 | 2c5ad0a04bd0fae259cf29af346379284c684d42 |
| SHA256 | c89895405e63110d69bb37178f0650bf2a4a489ab9e98da613464c61c475b58c |
| SHA512 | cd3c2180e185d1fce354ede366845668ab165ad0ebf7fd9cd9fbb3723ab64c3515c30e772e1577a747468e530d677c7955b41528d39e6d3c8c988b11604e470d |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jce.jar
| MD5 | 1f4d4fc6b33c30c5782c66b80d92c4f9 |
| SHA1 | 194df32fb23b470dae4929605d18abd041c743c6 |
| SHA256 | 81b8de0e148ed3601cf5f1bdf2787c5b15213d842bc537af9ede9635d692b904 |
| SHA512 | dfde7e03fc106b785887f2a409b3528c5862663f188c95f6a95c739bdfcc8c6205c03b739de1b259e9a8a0360aa4e10e8d4bce1a57445797a214160b8d98a085 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\jsse.jar
| MD5 | f095a5ac04775e1093d54822460cc5a7 |
| SHA1 | 2e0f0ec528c41b437126c506a91fe1ad5e699865 |
| SHA256 | 784b8df88387ee27383d6db4e184b169a21cb4b8bcb0d8395a7b1ac2b128108a |
| SHA512 | c0b5ca94ead3dffd33e19a2d757b2b653867b4f539a143ef17baeef1015c3845aba4f0666ef1d0c7ce02d156ce826b9c324c8159983a71d19d60415d60e25d36 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\resources.jar
| MD5 | 0fdcdf2b521c8ffba3fcae32a684358e |
| SHA1 | 45a3ae43334b1a0f46d76599d3926c40fa790965 |
| SHA256 | 2189d10490922562be379da742eedc5e77cac61a6d2a484a3ed4693965dfe290 |
| SHA512 | 1a1489faa7903bc24d4cc3fbd0ee80e79602a39ea9530f10075a52460e6100c807dbafb17e4b1a7997c23cbe3906808291be7718e6525a79a295e1ddc8ed9eda |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\zip.dll
| MD5 | 7c7a8adce66eeb67a96ca617c8286d72 |
| SHA1 | da1f100637f0b94aaea4e3999ef96a32a63bfc2b |
| SHA256 | d15be64cc05ae14db69b5a3558cd57767eda91e708c74d3dccdc4958c42cb5d9 |
| SHA512 | 00d3c1145b8c8ea246f456000c2fcfe1e978d148ad69ddabdf9e5f332db4e44025211916c6452b5030f8326d523d6e72de8aebd9e41d83afccb8713e88782f31 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\verify.dll
| MD5 | c15088054d639475e51b88251369c226 |
| SHA1 | 8849a9ee53e6bc7d1618103b674a6f481b72f3aa |
| SHA256 | a7e7890ec2e238b3108fe2d9b4796898b2fff30ce07957f60689975d7460098c |
| SHA512 | 81ae70caf0304c63adadc3437e592ea9540db59ac7bd7417b769b5702a2aa012bec79aab8ce01187ebbd78555b7824fc4434a113dd9be5b667ce693b293122c4 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\amd64\jvm.cfg
| MD5 | 499f2a4e0a25a41c1ff80df2d073e4fd |
| SHA1 | e2469cbe07e92d817637be4e889ebb74c3c46253 |
| SHA256 | 80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb |
| SHA512 | 7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\Sorillus.jar
| MD5 | f9119b4bbb55ce59f43113c71cd177f8 |
| SHA1 | 1605b453fa74091f92f51691a3dd378c1b67f3fa |
| SHA256 | 3eb57cd3c204ba1741e4500ef2566f524b10f4da23b3831f0855abcea0987649 |
| SHA512 | b166ce950e2c2bd2f23fe9063656ffd31da66dbd699419a71479d52654bf4113bddd8f51392577470a6f1342cc7546f5474d0765a209ff3b01ae65074d04a650 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\ext\meta-index
| MD5 | 005faac2118450bfcd46ae414da5f0e5 |
| SHA1 | 9f5c887e0505e1bb06bd1fc7975a3219709d061d |
| SHA256 | f0bce718f8d2b38247ce0ac814a1470c826602f4251d86369c2359ff60676bd8 |
| SHA512 | 8b618c74b359ab3c9d3c8a4864f8e48fe4054514a396352a829a84c9b843a2028c6c31eb53e857e03c803294e05f69c5bf586e261312264e7607b2efd14f78a9 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\lib\ext\jfxrt.jar
| MD5 | 671df034c39d335d5e9de4da7cf70e97 |
| SHA1 | 184aa46308c1af192f119b6cae48c6a567175592 |
| SHA256 | 0fb07fad0f05706dcdb487ef3fa8adfc97e1a47792ee9cb7af359c77a9393542 |
| SHA512 | 7512b351ef1429bb722318c415cbcd5459dc86678b11634e3dd8e83394e59a48551a817842d73107546ffdfe05eb06f7ab4ce6a853ce266f3503885d4517a8ed |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll
| MD5 | 3bf4406de02aa148f460e5d709f4f67d |
| SHA1 | 89b28107c39bb216da00507ffd8adb7838d883f6 |
| SHA256 | 349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e |
| SHA512 | 5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-handle-l1-1-0.dll
| MD5 | bbafa10627af6dfae5ed6e4aeae57b2a |
| SHA1 | 3094832b393416f212db9107add80a6e93a37947 |
| SHA256 | c78a1217f8dcb157d1a66b80348da48ebdbbedcea1d487fc393191c05aad476d |
| SHA512 | d5fcba2314ffe7ff6e8b350d65a2cdd99ca95ea36b71b861733bc1ed6b6bb4d85d4b1c4c4de2769fbf90d4100b343c250347d9ed1425f4a6c3fe6a20aed01f17 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-2-0.dll
| MD5 | 35bc1f1c6fbccec7eb8819178ef67664 |
| SHA1 | bbcad0148ff008e984a75937aaddf1ef6fda5e0c |
| SHA256 | 7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7 |
| SHA512 | 9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll
| MD5 | 580d9ea2308fc2d2d2054a79ea63227c |
| SHA1 | 04b3f21cbba6d59a61cd839ae3192ea111856f65 |
| SHA256 | 7cb0396229c3da434482a5ef929d3a2c392791712242c9693f06baa78948ef66 |
| SHA512 | 97c1d3f4f9add03f21c6b3517e1d88d1bf9a8733d7bdca1aecba9e238d58ff35780c4d865461cc7cd29e9480b3b3b60864abb664dcdc6f691383d0b281c33369 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 94788729c9e7b9c888f4e323a27ab548 |
| SHA1 | b0ba0c4cf1d8b2b94532aa1880310f28e87756ec |
| SHA256 | accdd7455fb6d02fe298b987ad412e00d0b8e6f5fb10b52826367e7358ae1187 |
| SHA512 | ab65495b1d0dd261f2669e04dc18a8da8f837b9ac622fc69fde271ff5e6aa958b1544edd8988f017d3dd83454756812c927a7702b1ed71247e506530a11f21c6 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll
| MD5 | b0e0678ddc403effc7cdc69ae6d641fb |
| SHA1 | c1a4ce4ded47740d3518cd1ff9e9ce277d959335 |
| SHA256 | 45e48320abe6e3c6079f3f6b84636920a367989a88f9ba6847f88c210d972cf1 |
| SHA512 | 2badf761a0614d09a60d0abb6289ebcbfa3bf69425640eb8494571afd569c8695ae20130aac0e1025e8739d76a9bff2efc9b4358b49efe162b2773be9c3e2ad4 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | ac51e3459e8fce2a646a6ad4a2e220b9 |
| SHA1 | 60cf810b7ad8f460d0b8783ce5e5bbcd61c82f1a |
| SHA256 | 77577f35d3a61217ea70f21398e178f8749455689db52a2b35a85f9b54c79638 |
| SHA512 | 6239240d4f4fa64fc771370fb25a16269f91a59a81a99a6a021b8f57ca93d6bb3b3fcecc8dede0ef7914652a2c85d84d774f13a4143536a3f986487a776a2eae |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-2-0.dll
| MD5 | 7676560d0e9bc1ee9502d2f920d2892f |
| SHA1 | 4a7a7a99900e41ff8a359ca85949acd828ddb068 |
| SHA256 | 00942431c2d3193061c7f4dc340e8446bfdbf792a7489f60349299dff689c2f9 |
| SHA512 | f1e8db9ad44cd1aa991b9ed0e000c58978eb60b3b7d9908b6eb78e8146e9e12590b0014fc4a97bc490ffe378c0bf59a6e02109bfd8a01c3b6d0d653a5b612d15 |
C:\Users\Admin\Downloads\SorillusRAT\Sorillus\jre1.8.0_361\bin\api-ms-win-core-console-l1-1-0.dll
| MD5 | 919e653868a3d9f0c9865941573025df |
| SHA1 | eff2d4ff97e2b8d7ed0e456cb53b74199118a2e2 |
| SHA256 | 2afbfa1d77969d0f4cee4547870355498d5c1da81d241e09556d0bd1d6230f8c |
| SHA512 | 6aec9d7767eb82ebc893ebd97d499debff8da130817b6bb4bcb5eb5de1b074898f87db4f6c48b50052d4f8a027b3a707cad9d7ed5837a6dd9b53642b8a168932 |
memory/5876-721-0x00000219884E0000-0x00000219884E1000-memory.dmp
memory/5876-728-0x00000219884E0000-0x00000219884E1000-memory.dmp
memory/5876-774-0x00000219884E0000-0x00000219884E1000-memory.dmp
memory/5876-780-0x00000219884E0000-0x00000219884E1000-memory.dmp
memory/5876-809-0x00000219884E0000-0x00000219884E1000-memory.dmp
C:\Users\Admin\Sorillus\.tmp\+JXF5367482807448859469.tmp
| MD5 | de2d73ffb31b036a481049751970e2ca |
| SHA1 | 5c26b381aa54a3336729cbaf4281620e03c34873 |
| SHA256 | 5afafd11dad40cc06023a6a5c1a6793b1cb55720314a18d4352879d6214b014e |
| SHA512 | f19bda9d9f355dab1ae3846c5e3a6535e59c529d0efe6204dd54000f3e088cf94099a1ccab94c0fadf7631385b94ca8c667f76c0556066ea49f06b2ac1479adb |
C:\Users\Admin\Sorillus\.tmp\+JXF617939151534158829.tmp
| MD5 | 1bf71be111189e76987a4bb9b3115cb7 |
| SHA1 | 40442c189568184b6e6c27a25d69f14d91b65039 |
| SHA256 | cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424 |
| SHA512 | cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061 |
C:\Users\Admin\Sorillus\.tmp\+JXF7661311954204913049.tmp
| MD5 | 8a36205bd9b83e03af0591a004bc97f4 |
| SHA1 | 56c5c0d38bde4c1f1549dda43db37b09c608aad3 |
| SHA256 | 4e147ab64b9fdf6d89d01f6b8c3ca0b3cddc59d608a8e2218f9a2504b5c98e14 |
| SHA512 | e96b43b0ca3fd7775d75a702f44cd1b0dfd325e1db317f7cba84efdf572571fe7594068f9132a937251aab8bd1f68783213677d4953aca197195fbe5db1f90d7 |
memory/5876-912-0x00000219884E0000-0x00000219884E1000-memory.dmp
C:\Users\Admin\Sorillus\.tmp\+JXF5726086351261884712.tmp
| MD5 | 731484623dfcbf11c948feea896b83c8 |
| SHA1 | 464d1c30e20128907d6f6d667a48a3213ac4df83 |
| SHA256 | a4d9acdd8e2bb188c832059a86636b4b26118d5965f0c08debd2b62c0d63c9a5 |
| SHA512 | 5dacfce6e70eff4141f107cd47c0c50068205485a9977fe60933238e750de8a46acaf99eed8dd08d70de2266360315db6b247e8e943fa276023c5360be81e794 |
C:\Users\Admin\Sorillus\.tmp\+JXF2559237847049579609.tmp
| MD5 | 629a55a7e793da068dc580d184cc0e31 |
| SHA1 | 3564ed0b5363df5cf277c16e0c6bedc5a682217f |
| SHA256 | e64e508b2aa2880f907e470c4550980ec4c0694d103a43f36150ac3f93189bee |
| SHA512 | 6c24c71bee7370939df8085fa70f1298cfa9be6d1b9567e2a12b9bb92872a45547cbabcf14a5d93a6d86cd77165eb262ba8530b988bf2c989fadb255c943df9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 094ab275342c45551894b7940ae9ad0d |
| SHA1 | 2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e |
| SHA256 | ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3 |
| SHA512 | 19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d |
memory/5876-1101-0x00000219884E0000-0x00000219884E1000-memory.dmp
memory/5876-1150-0x00000219884E0000-0x00000219884E1000-memory.dmp
C:\Users\Admin\Sorillus\.tmp\dashboard.css4966526211844660312.tmp
| MD5 | 6c80cc46e79e122ffd3548fe8cb29b2c |
| SHA1 | 84b5047e39ba1bdbfa6d371baef4ef303a8fc7c3 |
| SHA256 | 1489a290e7427c90c84ca7b77cd2d80df3dd9d8bcd522696ff94b60e5a03954b |
| SHA512 | cdb642b4368cd300c77bf7ab49474108a0f53abaca1247709ef0b9932b9e79e88c6a3db64bae9183d9af8433dd73e058582729be92358eaa5a9538cf0dbb4404 |
C:\Users\Admin\Sorillus\.tmp\clients.css6448666254406027915.tmp
| MD5 | 73170a0b32597f7f2394efda2fb0052c |
| SHA1 | 23b2b34660feedcfae760096debd44515c4fb580 |
| SHA256 | 8bab80ef1af4a46664abf487b23a3cb3ba2fd083fc06b820089cbd9644a20b78 |
| SHA512 | ddc9e89df5a345c5d8d3b392aa9671c86afc2cb8ec0885430eab286ee1420ca11dc565e1afc482957564b2a5456d48a59d6a1a7e6ecff92f56abc8366fbc0719 |