Analysis Overview
SHA256
5488f8ebdd761b238ac30772eaaf4bc470da2d9b518c13edccfae3ab4c3e9721
Threat Level: Known bad
The file ez.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcurs Rat Executable
Orcus main payload
Orcus family
Orcurs Rat Executable
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
Reads WinSCP keys stored on the system
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Drops desktop.ini file(s)
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-16 16:19
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-16 16:19
Reported
2025-01-16 16:22
Platform
win10ltsc2021-20250113-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Orcus
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" | C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Orcus\Orcus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Orcus\Orcus.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Orcus\Orcus.exe | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| File created | C:\Program Files\Orcus\Orcus.exe.config | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Orcus\Orcus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files\Orcus\Orcus.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Orcus\Orcus.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Orcus\Orcus.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Orcus\Orcus.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Orcus\Orcus.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvel7vya.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC77DF.tmp"
C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe
"C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe" -i -o
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.12.57.198:18585 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 198.57.12.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
Files
memory/3764-0-0x00007FFAF0565000-0x00007FFAF0566000-memory.dmp
memory/3764-1-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp
memory/3764-2-0x000000001B330000-0x000000001B38C000-memory.dmp
memory/3764-5-0x000000001B410000-0x000000001B41E000-memory.dmp
memory/3764-7-0x000000001C370000-0x000000001C83E000-memory.dmp
memory/3764-6-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp
memory/3764-8-0x000000001C8E0000-0x000000001C97C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jvel7vya.cmdline
| MD5 | 3cbbe9835a6b5beecb4c326666f516bd |
| SHA1 | 7c25642dfa7097163d179c2f227c91cc52e6ae3f |
| SHA256 | 2816fd69b471419b15e14c645fdc2c8ff365d79f7d284726f01e311da4b04415 |
| SHA512 | e736f457d6329ca8ca83665214b89edd2979a02fb3f735d7f766436db73a329fe7f195806be9322fdf20769d3d08a8acf568c5fe0f1e0bebb793df3490093774 |
\??\c:\Users\Admin\AppData\Local\Temp\jvel7vya.0.cs
| MD5 | ef2933a93a879cccf7f0c1062bda4f09 |
| SHA1 | 4bc6c94dbd9d428017e6f42c6c02c1988a72a3d1 |
| SHA256 | 51fbd676b0bff7dc1fd7d70e88a91fbfabd8396ef53c994764d9e04f9f2d15e9 |
| SHA512 | 5ca0b83343b54632a4ca4cc87bd26a3e4239dae12d4c7a909e0c389c97dcd33829f1db4c8272e29c630156254734a4854718ee4302c1fda4ed816f883324bc67 |
memory/3380-14-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC77DF.tmp
| MD5 | 9dbc93ea7338b7fd663e0a3f71362a7e |
| SHA1 | 8c8fe4d900f988b1d6ca2343baa8a7fb4e123bf4 |
| SHA256 | a3c66a2bb948893aac8f131b8c367759de679bfe0909a7cc5fbd3bda9a568dc3 |
| SHA512 | 40b5d1a8f141db94ba71cb87eb9f961cee03f050d0217fc01cbf5ac04760a7ff8e052528bba56fbeab845f672b7d725736f24197dea673759147428667ddd1f7 |
C:\Users\Admin\AppData\Local\Temp\RES77E0.tmp
| MD5 | 2fca075c4c53b5f285c9de18b420ca8c |
| SHA1 | a5c749c588d66a161ba2d5cf79dff2998fd53f27 |
| SHA256 | d0c00a3086d21a0e0fc60902121bbf7c85c38b09680f2dbb8292dfad1dd75607 |
| SHA512 | 016ebe6ab31b5e048cb0afb35680e743cd1e1c88883e25a648cc9bbedfb6884c2fc1c65edf6fb39c8f1176ab018ecd0b9f5d9a46d043946ce06f01bfd8962e48 |
memory/3380-21-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp
memory/3764-23-0x000000001B450000-0x000000001B466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jvel7vya.dll
| MD5 | 871865f9d4b7d96b758bfd515deaf05e |
| SHA1 | 648f0c9373e889a2c889f5d089fa190041e83c24 |
| SHA256 | 0a0e0e552d6a7b391ba88dd7905aa3b2d508f8c5b5c434e808313f5ad443c2d9 |
| SHA512 | e7ed12c493800c472d4a79eab37e32b7bcc1c21a0760d7e9e1d2498d11e4e8c6bcff9eacac93a35b3f215d1845f500bc9eaa72d279dd1ef5e5bfdce95783fcbe |
memory/3764-25-0x000000001B270000-0x000000001B282000-memory.dmp
memory/3764-26-0x0000000000D00000-0x0000000000D08000-memory.dmp
memory/3764-27-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp
memory/3764-28-0x00007FFAF0565000-0x00007FFAF0566000-memory.dmp
memory/3764-29-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp
C:\Program Files\Orcus\Orcus.exe
| MD5 | 1f0eaf2212e650d546ce25bed971ea6a |
| SHA1 | 10964f65e5f5cb5b39793948c47960b3df816a78 |
| SHA256 | 5488f8ebdd761b238ac30772eaaf4bc470da2d9b518c13edccfae3ab4c3e9721 |
| SHA512 | d4773894f5a38fc4d994aff8985311e16310de775fbe88e0caf67aa0cd45b89ad2f175daa7fd3465b2112ed4c490c36832d92ab23b71bc50e568c4bd9aea8f68 |
C:\Program Files\Orcus\Orcus.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/756-37-0x0000000000E30000-0x0000000000F18000-memory.dmp
memory/3764-36-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp
memory/756-38-0x0000000003020000-0x0000000003032000-memory.dmp
memory/756-39-0x00000000031B0000-0x00000000031C8000-memory.dmp
memory/756-40-0x00000000017E0000-0x00000000017F0000-memory.dmp
memory/756-41-0x000000001BAF0000-0x000000001BB02000-memory.dmp
memory/756-42-0x000000001D320000-0x000000001D35C000-memory.dmp
memory/756-43-0x000000001D470000-0x000000001D57A000-memory.dmp
memory/756-44-0x000000001D750000-0x000000001D912000-memory.dmp
memory/756-47-0x000000001BAE0000-0x000000001BAEC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\AForge.Video.dll
| MD5 | 0bd34aa29c7ea4181900797395a6da78 |
| SHA1 | ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8 |
| SHA256 | bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d |
| SHA512 | a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0 |
memory/756-55-0x000000001D300000-0x000000001D316000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\AForge.Video.DirectShow.dll
| MD5 | 17ed442e8485ac3f7dc5b3c089654a61 |
| SHA1 | d3a17c1fdd6d54951141053f88bf8238dea0b937 |
| SHA256 | 666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b |
| SHA512 | 9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2 |
memory/756-63-0x000000001D3B0000-0x000000001D3F4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\SharpDX.dll
| MD5 | ffb4b61cc11bec6d48226027c2c26704 |
| SHA1 | fa8b9e344accbdc4dffa9b5d821d23f0716da29e |
| SHA256 | 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303 |
| SHA512 | 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9 |
memory/756-71-0x000000001D400000-0x000000001D44A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\SharpDX.Direct3D11.dll
| MD5 | 98eb5ba5871acdeaebf3a3b0f64be449 |
| SHA1 | c965284f60ef789b00b10b3df60ee682b4497de3 |
| SHA256 | d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c |
| SHA512 | a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2 |
memory/756-79-0x000000001D640000-0x000000001D69A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\SharpDX.Direct3D9.dll
| MD5 | 934da0e49208d0881c44fe19d5033840 |
| SHA1 | a19c5a822e82e41752a08d3bd9110db19a8a5016 |
| SHA256 | 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7 |
| SHA512 | de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59 |
memory/756-87-0x000000001D5E0000-0x000000001D606000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\SharpDX.DXGI.dll
| MD5 | 2b44c70c49b70d797fbb748158b5d9bb |
| SHA1 | 93e00e6527e461c45c7868d14cf05c007e478081 |
| SHA256 | 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf |
| SHA512 | faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0 |
memory/756-95-0x000000001DA80000-0x000000001DBD4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\TurboJpegWrapper.dll
| MD5 | ac6acc235ebef6374bed71b37e322874 |
| SHA1 | a267baad59cd7352167636836bad4b971fcd6b6b |
| SHA256 | 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96 |
| SHA512 | 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081 |
memory/756-104-0x000000001DBE0000-0x000000001DD32000-memory.dmp
memory/756-105-0x000000001DA20000-0x000000001DA6A000-memory.dmp
memory/756-106-0x000000001E0C0000-0x000000001E110000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\x64\turbojpeg.dll
| MD5 | b36cc7f7c7148a783fbed3493bc27954 |
| SHA1 | 44b39651949a00cf2a5cbba74c3210b980ae81b4 |
| SHA256 | c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38 |
| SHA512 | c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2 |
C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
memory/756-117-0x00000000660C0000-0x000000006615C000-memory.dmp
C:\Program Files\RDP Wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
\??\c:\program files\rdp wrapper\rdpwrap.ini
| MD5 | dddd741ab677bdac8dcd4fa0dda05da2 |
| SHA1 | 69d328c70046029a1866fd440c3e4a63563200f9 |
| SHA256 | 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668 |
| SHA512 | 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec |
memory/4472-124-0x0000000000400000-0x0000000000553000-memory.dmp