Malware Analysis Report

2025-01-22 14:52

Sample ID 241211-b75ccszlhx
Target test.exe
SHA256 3bfd1e4cae067297ea03292efbae3f59961453c71a0898433b47961771728544
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bfd1e4cae067297ea03292efbae3f59961453c71a0898433b47961771728544

Threat Level: Known bad

The file test.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus family

Orcus

Orcus main payload

Orcurs Rat Executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-11 01:48

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-11 01:48

Reported

2024-12-11 02:00

Platform

win10ltsc2021-20241023-en

Max time kernel

749s

Max time network

751s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation C:\Program Files\Orcus\Orcus.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\test.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\test.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\test.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\test.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4768 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2744 wrote to memory of 4744 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2744 wrote to memory of 4744 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4768 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Program Files\Orcus\Orcus.exe
PID 4768 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Program Files\Orcus\Orcus.exe
PID 4572 wrote to memory of 3152 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3152 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2376 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2376 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1012 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1012 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 4720 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 4720 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1528 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1528 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2668 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2668 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3196 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3196 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1188 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1188 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2420 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2420 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2024 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2024 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2676 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2676 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3396 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3396 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2012 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2012 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 64 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 64 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3700 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3700 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1236 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1236 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1164 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1164 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2108 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2108 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3380 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 3380 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1912 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 1912 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 4360 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 4360 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 4348 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 4348 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 5088 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 5088 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2056 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2056 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2272 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2272 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 4608 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 4608 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2636 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2636 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2292 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 2292 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 648 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe
PID 4572 wrote to memory of 648 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\System32\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3uhrsrxx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1BF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA1BE.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4b4 0x504

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 147.185.221.24:4580 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 147.185.221.24:4580 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp
US 147.185.221.24:4580 tcp

Files

memory/4768-0-0x00007FF933EF5000-0x00007FF933EF6000-memory.dmp

memory/4768-1-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

memory/4768-2-0x000000001BD60000-0x000000001BDBC000-memory.dmp

memory/4768-5-0x000000001C870000-0x000000001C87E000-memory.dmp

memory/4768-6-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

memory/4768-7-0x000000001CD50000-0x000000001D21E000-memory.dmp

memory/4768-8-0x000000001D2C0000-0x000000001D35C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3uhrsrxx.cmdline

MD5 cbf9aa391a62d5166ce973222af8181e
SHA1 405ae7d2e52e05e22a717ff9229daab7d622d48d
SHA256 e293a85c184b91a57dfc46768a9459121bcba86ea500da207a3e4bb9bbbab57e
SHA512 0ecf80611f2cbabde46066aaad7978ec80d4bfc1937ac06a5e6375f3f84a65061ebb08c271dee28a47bcd229e5e576927ea5af6a64754242796ff23d459c4f0e

\??\c:\Users\Admin\AppData\Local\Temp\3uhrsrxx.0.cs

MD5 a3bd4369c918cafd1e10a52c90c22c13
SHA1 5ff86206b604cdaf7b7a34bdb55263f49c5929ff
SHA256 c13a3424f51e0a8bc3c9341744364588b2c548b0cdd71e02b7c0f8aa9971fa81
SHA512 31a07da583710c51132f425bd59e6c46934c5a2467a5a31783a71bfc1a5e5d2bcf852e7964e68e09946f1d3b9ba3fd1a8977b74735d4f67169982282bbf4cfc7

memory/2744-19-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESA1BF.tmp

MD5 a8d8073686eba785f7638f0d7ab4e2d6
SHA1 e93230391d487692e121e78f439bdf0dbe450661
SHA256 330882ef390a9c11b37ae1bb2d3f6e981875a43654fe664114c5d5af854889a7
SHA512 7f171692da91792efb4496678bbe625c3822779fb646f34c86adc56d758f36d1468c28870442ed16f78511225244c0a404ccab4bc7aa9a73b8c0e9154feb9ef0

C:\Users\Admin\AppData\Local\Temp\3uhrsrxx.dll

MD5 ab3fdb3bf87f2dcc359b89be1d36869c
SHA1 fb713a905f94f9e99af1f128527529aaa552a79a
SHA256 475db4b956df978431150ae2d6b1d0b5fe7b2665435b9443c1b60b2541c1b02c
SHA512 751656fd8b354abb01917abad97d4d8010807e50607eb18ec159637c1182b7423106a3d7f68a9c0788f2689c6959f2cff60d366e3498be137f40aebb0b4060e2

memory/4768-23-0x000000001D980000-0x000000001D996000-memory.dmp

memory/2744-21-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCA1BE.tmp

MD5 a59201994b80fc301d8c895006a98dc2
SHA1 b870c36ae2c83e93e5a3d7a19f3c0c2859a2f823
SHA256 53d2a51a5a98c82892f43afca1a3d8c70748df956780ce71af3a58de19e00aa3
SHA512 7e6a0b1ada347f1eb9dc93bd8b6e9d3d6b558c550322a9134d585ec274fa909f1ce53c337ca0aa744a11d9988b8f0cc2189710f13c092b1495f64dfd1d9562c9

memory/4768-25-0x0000000001580000-0x0000000001592000-memory.dmp

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4572-30-0x00007FF931843000-0x00007FF931845000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 355df37589243785512812437ef1d4b2
SHA1 45fae5fd1ce1aa7f1c239489a3e0db5ab0606128
SHA256 3bfd1e4cae067297ea03292efbae3f59961453c71a0898433b47961771728544
SHA512 e1d1c1a3b9569f55247583d0a70458d957d779a696177d61cd5daff31f5372cf1c0bc81272809c90e991bdefbe9e15e4a5b00bcf59f90028588f8157a7feeb64

memory/4572-32-0x0000000000E00000-0x0000000000EE8000-memory.dmp

memory/4768-31-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

memory/4572-34-0x000000001BA50000-0x000000001BA68000-memory.dmp

memory/4572-33-0x000000001BA40000-0x000000001BA52000-memory.dmp

memory/4572-35-0x000000001CB00000-0x000000001CB10000-memory.dmp

memory/4572-38-0x000000001DB10000-0x000000001DB22000-memory.dmp

memory/4572-39-0x000000001DB70000-0x000000001DBAC000-memory.dmp

memory/4572-40-0x000000001DEA0000-0x000000001DFAA000-memory.dmp

memory/4572-41-0x000000001E180000-0x000000001E342000-memory.dmp

memory/4572-42-0x00007FF931843000-0x00007FF931845000-memory.dmp

memory/4572-45-0x000000001CA50000-0x000000001CA5C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

memory/4572-53-0x000000001CA20000-0x000000001CA36000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\AForge.Video.DirectShow.dll

MD5 17ed442e8485ac3f7dc5b3c089654a61
SHA1 d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256 666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA512 9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

memory/4572-61-0x000000001CAB0000-0x000000001CAF4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\SharpDX.dll

MD5 ffb4b61cc11bec6d48226027c2c26704
SHA1 fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA512 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

memory/4572-69-0x000000001D830000-0x000000001D87A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\SharpDX.Direct3D11.dll

MD5 98eb5ba5871acdeaebf3a3b0f64be449
SHA1 c965284f60ef789b00b10b3df60ee682b4497de3
SHA256 d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512 a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

memory/4572-77-0x000000001E0B0000-0x000000001E10A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\SharpDX.Direct3D9.dll

MD5 934da0e49208d0881c44fe19d5033840
SHA1 a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA256 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512 de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

memory/4572-85-0x000000001D880000-0x000000001D8A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\SharpDX.DXGI.dll

MD5 2b44c70c49b70d797fbb748158b5d9bb
SHA1 93e00e6527e461c45c7868d14cf05c007e478081
SHA256 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512 faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

memory/4572-93-0x000000001E6B0000-0x000000001E804000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\TurboJpegWrapper.dll

MD5 ac6acc235ebef6374bed71b37e322874
SHA1 a267baad59cd7352167636836bad4b971fcd6b6b
SHA256 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA512 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\x64\turbojpeg.dll

MD5 b36cc7f7c7148a783fbed3493bc27954
SHA1 44b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256 c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512 c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

memory/4572-102-0x00000000660C0000-0x000000006615C000-memory.dmp

memory/4572-109-0x00000000210A0000-0x000000002114A000-memory.dmp