Malware Analysis Report

2025-03-15 06:46

Sample ID 250116-tstlesyrhm
Target ez.exe
SHA256 5488f8ebdd761b238ac30772eaaf4bc470da2d9b518c13edccfae3ab4c3e9721
Tags
orcus discovery evasion persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5488f8ebdd761b238ac30772eaaf4bc470da2d9b518c13edccfae3ab4c3e9721

Threat Level: Known bad

The file ez.exe was found to be: Known bad.

Malicious Activity Summary

orcus discovery evasion persistence privilege_escalation rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus main payload

Orcus family

Orcurs Rat Executable

Modifies Windows Firewall

Server Software Component: Terminal Services DLL

Reads WinSCP keys stored on the system

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-16 16:19

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-16 16:19

Reported

2025-01-16 16:22

Platform

win10ltsc2021-20250113-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ez.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ez.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ez.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.ngrok.io N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.ini C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.dll C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ez.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files\Orcus\Orcus.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\ez.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3764 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\ez.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3380 wrote to memory of 4236 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3380 wrote to memory of 4236 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3764 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\ez.exe C:\Program Files\Orcus\Orcus.exe
PID 3764 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\ez.exe C:\Program Files\Orcus\Orcus.exe
PID 756 wrote to memory of 4472 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe
PID 756 wrote to memory of 4472 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe
PID 756 wrote to memory of 4472 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe
PID 4472 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe C:\Windows\SYSTEM32\netsh.exe
PID 4472 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe C:\Windows\SYSTEM32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ez.exe

"C:\Users\Admin\AppData\Local\Temp\ez.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvel7vya.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC77DF.tmp"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe

"C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe" -i -o

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.12.57.198:18585 0.tcp.ngrok.io tcp
US 8.8.8.8:53 198.57.12.3.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp

Files

memory/3764-0-0x00007FFAF0565000-0x00007FFAF0566000-memory.dmp

memory/3764-1-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp

memory/3764-2-0x000000001B330000-0x000000001B38C000-memory.dmp

memory/3764-5-0x000000001B410000-0x000000001B41E000-memory.dmp

memory/3764-7-0x000000001C370000-0x000000001C83E000-memory.dmp

memory/3764-6-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp

memory/3764-8-0x000000001C8E0000-0x000000001C97C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jvel7vya.cmdline

MD5 3cbbe9835a6b5beecb4c326666f516bd
SHA1 7c25642dfa7097163d179c2f227c91cc52e6ae3f
SHA256 2816fd69b471419b15e14c645fdc2c8ff365d79f7d284726f01e311da4b04415
SHA512 e736f457d6329ca8ca83665214b89edd2979a02fb3f735d7f766436db73a329fe7f195806be9322fdf20769d3d08a8acf568c5fe0f1e0bebb793df3490093774

\??\c:\Users\Admin\AppData\Local\Temp\jvel7vya.0.cs

MD5 ef2933a93a879cccf7f0c1062bda4f09
SHA1 4bc6c94dbd9d428017e6f42c6c02c1988a72a3d1
SHA256 51fbd676b0bff7dc1fd7d70e88a91fbfabd8396ef53c994764d9e04f9f2d15e9
SHA512 5ca0b83343b54632a4ca4cc87bd26a3e4239dae12d4c7a909e0c389c97dcd33829f1db4c8272e29c630156254734a4854718ee4302c1fda4ed816f883324bc67

memory/3380-14-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC77DF.tmp

MD5 9dbc93ea7338b7fd663e0a3f71362a7e
SHA1 8c8fe4d900f988b1d6ca2343baa8a7fb4e123bf4
SHA256 a3c66a2bb948893aac8f131b8c367759de679bfe0909a7cc5fbd3bda9a568dc3
SHA512 40b5d1a8f141db94ba71cb87eb9f961cee03f050d0217fc01cbf5ac04760a7ff8e052528bba56fbeab845f672b7d725736f24197dea673759147428667ddd1f7

C:\Users\Admin\AppData\Local\Temp\RES77E0.tmp

MD5 2fca075c4c53b5f285c9de18b420ca8c
SHA1 a5c749c588d66a161ba2d5cf79dff2998fd53f27
SHA256 d0c00a3086d21a0e0fc60902121bbf7c85c38b09680f2dbb8292dfad1dd75607
SHA512 016ebe6ab31b5e048cb0afb35680e743cd1e1c88883e25a648cc9bbedfb6884c2fc1c65edf6fb39c8f1176ab018ecd0b9f5d9a46d043946ce06f01bfd8962e48

memory/3380-21-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp

memory/3764-23-0x000000001B450000-0x000000001B466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jvel7vya.dll

MD5 871865f9d4b7d96b758bfd515deaf05e
SHA1 648f0c9373e889a2c889f5d089fa190041e83c24
SHA256 0a0e0e552d6a7b391ba88dd7905aa3b2d508f8c5b5c434e808313f5ad443c2d9
SHA512 e7ed12c493800c472d4a79eab37e32b7bcc1c21a0760d7e9e1d2498d11e4e8c6bcff9eacac93a35b3f215d1845f500bc9eaa72d279dd1ef5e5bfdce95783fcbe

memory/3764-25-0x000000001B270000-0x000000001B282000-memory.dmp

memory/3764-26-0x0000000000D00000-0x0000000000D08000-memory.dmp

memory/3764-27-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp

memory/3764-28-0x00007FFAF0565000-0x00007FFAF0566000-memory.dmp

memory/3764-29-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 1f0eaf2212e650d546ce25bed971ea6a
SHA1 10964f65e5f5cb5b39793948c47960b3df816a78
SHA256 5488f8ebdd761b238ac30772eaaf4bc470da2d9b518c13edccfae3ab4c3e9721
SHA512 d4773894f5a38fc4d994aff8985311e16310de775fbe88e0caf67aa0cd45b89ad2f175daa7fd3465b2112ed4c490c36832d92ab23b71bc50e568c4bd9aea8f68

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/756-37-0x0000000000E30000-0x0000000000F18000-memory.dmp

memory/3764-36-0x00007FFAF02B0000-0x00007FFAF0C51000-memory.dmp

memory/756-38-0x0000000003020000-0x0000000003032000-memory.dmp

memory/756-39-0x00000000031B0000-0x00000000031C8000-memory.dmp

memory/756-40-0x00000000017E0000-0x00000000017F0000-memory.dmp

memory/756-41-0x000000001BAF0000-0x000000001BB02000-memory.dmp

memory/756-42-0x000000001D320000-0x000000001D35C000-memory.dmp

memory/756-43-0x000000001D470000-0x000000001D57A000-memory.dmp

memory/756-44-0x000000001D750000-0x000000001D912000-memory.dmp

memory/756-47-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\AForge.Video.dll

MD5 0bd34aa29c7ea4181900797395a6da78
SHA1 ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256 bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512 a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

memory/756-55-0x000000001D300000-0x000000001D316000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\AForge.Video.DirectShow.dll

MD5 17ed442e8485ac3f7dc5b3c089654a61
SHA1 d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256 666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA512 9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

memory/756-63-0x000000001D3B0000-0x000000001D3F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\SharpDX.dll

MD5 ffb4b61cc11bec6d48226027c2c26704
SHA1 fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA512 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

memory/756-71-0x000000001D400000-0x000000001D44A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\SharpDX.Direct3D11.dll

MD5 98eb5ba5871acdeaebf3a3b0f64be449
SHA1 c965284f60ef789b00b10b3df60ee682b4497de3
SHA256 d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512 a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

memory/756-79-0x000000001D640000-0x000000001D69A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\SharpDX.Direct3D9.dll

MD5 934da0e49208d0881c44fe19d5033840
SHA1 a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA256 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512 de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

memory/756-87-0x000000001D5E0000-0x000000001D606000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\SharpDX.DXGI.dll

MD5 2b44c70c49b70d797fbb748158b5d9bb
SHA1 93e00e6527e461c45c7868d14cf05c007e478081
SHA256 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512 faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

memory/756-95-0x000000001DA80000-0x000000001DBD4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\TurboJpegWrapper.dll

MD5 ac6acc235ebef6374bed71b37e322874
SHA1 a267baad59cd7352167636836bad4b971fcd6b6b
SHA256 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA512 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

memory/756-104-0x000000001DBE0000-0x000000001DD32000-memory.dmp

memory/756-105-0x000000001DA20000-0x000000001DA6A000-memory.dmp

memory/756-106-0x000000001E0C0000-0x000000001E110000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\lib_6aa90683b44541319ca2fec646e0dff6\x64\turbojpeg.dll

MD5 b36cc7f7c7148a783fbed3493bc27954
SHA1 44b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256 c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512 c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe

MD5 9c257b1d15817a818a675749f0429130
SHA1 234d14da613c1420ea17de60ab8c3621d1599f6f
SHA256 b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c
SHA512 b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

memory/756-117-0x00000000660C0000-0x000000006615C000-memory.dmp

C:\Program Files\RDP Wrapper\rdpwrap.dll

MD5 461ade40b800ae80a40985594e1ac236
SHA1 b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

\??\c:\program files\rdp wrapper\rdpwrap.ini

MD5 dddd741ab677bdac8dcd4fa0dda05da2
SHA1 69d328c70046029a1866fd440c3e4a63563200f9
SHA256 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668
SHA512 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

memory/4472-124-0x0000000000400000-0x0000000000553000-memory.dmp