Analysis Overview
SHA256
6d93347f32f5046a8dff6e59d67f43e1e0c11f51ca718c85e55246a57e49c22c
Threat Level: Known bad
The file RAT.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus main payload
Orcurs Rat Executable
Orcus family
Orcurs Rat Executable
Uses the VBS compiler for execution
Loads dropped DLL
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-23 11:53
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-23 11:53
Reported
2025-01-23 11:55
Platform
win7-20240903-en
Max time kernel
122s
Max time network
141s
Command Line
Signatures
Orcus
Orcus family
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RAT.exe
"C:\Users\Admin\AppData\Local\Temp\RAT.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 195.88.218.126:10134 | tcp | |
| NL | 195.88.218.126:10134 | tcp | |
| NL | 195.88.218.126:10134 | tcp | |
| NL | 195.88.218.126:10134 | tcp | |
| NL | 195.88.218.126:10134 | tcp |
Files
memory/2628-0-0x00000000748EE000-0x00000000748EF000-memory.dmp
memory/2628-1-0x00000000010E0000-0x00000000011C8000-memory.dmp
memory/2628-2-0x00000000005D0000-0x00000000005DE000-memory.dmp
memory/2628-3-0x0000000000690000-0x00000000006EC000-memory.dmp
memory/2628-4-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/2628-5-0x0000000000710000-0x0000000000722000-memory.dmp
memory/2628-6-0x0000000000A90000-0x0000000000AA8000-memory.dmp
memory/2628-7-0x0000000000AC0000-0x0000000000AD0000-memory.dmp
memory/2628-8-0x00000000748E0000-0x0000000074FCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC0C2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-23 11:53
Reported
2025-01-23 11:55
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Orcus
Orcus family
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
Uses the VBS compiler for execution
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RAT.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RAT.exe
"C:\Users\Admin\AppData\Local\Temp\RAT.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450 0x150
C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9330.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc932F.tmp"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5ed746f8,0x7ffa5ed74708,0x7ffa5ed74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 195.88.218.126:10134 | tcp | |
| US | 8.8.8.8:53 | 214.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| NL | 195.88.218.126:10134 | tcp | |
| NL | 195.88.218.126:10134 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| NL | 195.88.218.126:10134 | tcp | |
| US | 8.8.8.8:53 | 126.218.88.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.250.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 2.22.251.51:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 51.251.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 2.22.251.18:443 | r.bing.com | tcp |
| US | 2.22.251.18:443 | r.bing.com | tcp |
| US | 2.22.251.42:443 | th.bing.com | tcp |
| US | 2.22.251.42:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 18.251.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.251.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
Files
memory/1316-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp
memory/1316-1-0x0000000000950000-0x0000000000A38000-memory.dmp
memory/1316-2-0x00000000013E0000-0x00000000013EE000-memory.dmp
memory/1316-3-0x0000000074D40000-0x00000000754F0000-memory.dmp
memory/1316-4-0x0000000005290000-0x00000000052EC000-memory.dmp
memory/1316-5-0x00000000059A0000-0x0000000005F44000-memory.dmp
memory/1316-6-0x0000000005490000-0x0000000005522000-memory.dmp
memory/1316-7-0x0000000005470000-0x0000000005482000-memory.dmp
memory/1316-8-0x0000000005950000-0x0000000005968000-memory.dmp
memory/1316-9-0x0000000005980000-0x0000000005990000-memory.dmp
memory/1316-10-0x0000000006270000-0x000000000627A000-memory.dmp
memory/1316-11-0x0000000074D4E000-0x0000000074D4F000-memory.dmp
memory/1316-12-0x0000000074D40000-0x00000000754F0000-memory.dmp
memory/1316-15-0x0000000006880000-0x00000000068E6000-memory.dmp
memory/1316-16-0x00000000072F0000-0x0000000007908000-memory.dmp
memory/1316-17-0x0000000006920000-0x0000000006932000-memory.dmp
memory/1316-18-0x0000000006D10000-0x0000000006D4C000-memory.dmp
memory/1316-19-0x0000000006D50000-0x0000000006D9C000-memory.dmp
memory/1316-20-0x0000000006ED0000-0x0000000006FDA000-memory.dmp
memory/1316-21-0x0000000007910000-0x0000000007AD2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.dll
| MD5 | ffb4b61cc11bec6d48226027c2c26704 |
| SHA1 | fa8b9e344accbdc4dffa9b5d821d23f0716da29e |
| SHA256 | 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303 |
| SHA512 | 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9 |
memory/1316-26-0x0000000006030000-0x0000000006074000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.Direct3D11.dll
| MD5 | 98eb5ba5871acdeaebf3a3b0f64be449 |
| SHA1 | c965284f60ef789b00b10b3df60ee682b4497de3 |
| SHA256 | d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c |
| SHA512 | a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2 |
memory/1316-33-0x0000000006280000-0x00000000062CA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.Direct3D9.dll
| MD5 | 934da0e49208d0881c44fe19d5033840 |
| SHA1 | a19c5a822e82e41752a08d3bd9110db19a8a5016 |
| SHA256 | 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7 |
| SHA512 | de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59 |
memory/1316-40-0x0000000006330000-0x000000000638A000-memory.dmp
memory/1316-47-0x00000000062D0000-0x00000000062F6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.DXGI.dll
| MD5 | 2b44c70c49b70d797fbb748158b5d9bb |
| SHA1 | 93e00e6527e461c45c7868d14cf05c007e478081 |
| SHA256 | 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf |
| SHA512 | faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0 |
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\TurboJpegWrapper.dll
| MD5 | ac6acc235ebef6374bed71b37e322874 |
| SHA1 | a267baad59cd7352167636836bad4b971fcd6b6b |
| SHA256 | 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96 |
| SHA512 | 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081 |
memory/1316-54-0x0000000007DC0000-0x0000000007F14000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\CSCore.dll
| MD5 | dde3ec6e17bc518b10c99efbd09ab72e |
| SHA1 | a2306e60b74b8a01a0dbc1199a7fffca288f2033 |
| SHA256 | 60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8 |
| SHA512 | 09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877 |
memory/1316-61-0x0000000007FB0000-0x0000000008036000-memory.dmp
memory/1316-64-0x0000000008670000-0x0000000008B9C000-memory.dmp
memory/1316-65-0x0000000074D40000-0x00000000754F0000-memory.dmp
memory/1316-66-0x0000000074D40000-0x00000000754F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\OpusWrapper.dll
| MD5 | bf0ef47bea0139b87d42a449a0240101 |
| SHA1 | 37b65cd6830088707be692d4602b10062a46b91a |
| SHA256 | 07ec44bca9b44de3b22f9d212db3ecc5191201e27e4310d7bb2b199deffbab5a |
| SHA512 | 830c5b380c844a8490cf482ef4ca4821b6185f5fd204c3edf21de0b449727448835b9cbfb103eb74aa91f05abb7390ed1c0ed5e815a7101d9127fc38382daa8a |
memory/1316-71-0x0000000009660000-0x000000000973A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.cmdline
| MD5 | 55e34ac86a6b50bf598b49c838cf688d |
| SHA1 | 9ef8f8e20e6296076df42a35cdb97da55f359a91 |
| SHA256 | ea95bc7667531ab0d20a4be001600d3e97559ac022d34cc84fbe2e353f59b008 |
| SHA512 | 96992c333c5a4b1ac1e1f35e4067c208c55e87feb851ebd7bb8f29905b3cf56a047961f998f7ccf715a878e2336293561051b21c29526ab742a0b5ec978433d6 |
memory/3668-78-0x0000000003530000-0x0000000003540000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.0.vb
| MD5 | 0a43dfa95cb44176347e31049a66f71f |
| SHA1 | 6d7d6633e4981c6fafb0fd4022b0d379bd9eb417 |
| SHA256 | 709389aaeaaf573b3642710488e63f16ff74358b5c2208c66ae538fe0eb781b4 |
| SHA512 | e507daf5adfbed7af1f6c7aca453adf0cbc996287ed6fbcc965aaf28ff8e5c7d1b2329d97c0acaa7998a4ebe014bc5b5cbdc5e7158d02a2187b3213d5e613f0e |
C:\Users\Admin\AppData\Local\Temp\vbc932F.tmp
| MD5 | 3b18d78a05359a9a4085233b47c36dc0 |
| SHA1 | 4b3de13dc448611da510a545f10149aa7af27779 |
| SHA256 | a07e4aac7dd212e6c3ab5592177cfe8fc53c52d7a71681ec722e2f44fe324391 |
| SHA512 | 9d5b36c95e5a6b886880b162813c4a82b7f3c8e638445e91caf4e2a56d378157ae09434491abb54c00cdec7c94d3eec9d749ec4c6ffdccada357f42d6c0c7e04 |
C:\Users\Admin\AppData\Local\Temp\RES9330.tmp
| MD5 | 6c0ebd0e0a77cad2f72891a02a1f2225 |
| SHA1 | eca5a991c3f156abb2bd372032cd5af8d5834141 |
| SHA256 | 3ca465fee8f284100c3e98607de12b81b484e5cf7270a9683c4b081f8570e687 |
| SHA512 | 0adc8ec208ba4de05b8d717c897c9c187d041ea7046c83c07b52d126654defe1a029e22e3c4646efb12f9a8d6f27d90125ab2a317ec8ec4f34baba3e2f463e57 |
C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.dll
| MD5 | 69fd480476e88b5021186629d7b26bc0 |
| SHA1 | 2c6128c7354474594b1c13c87fa3e02ae0f012c2 |
| SHA256 | 1aebe8d1de91874685509e023177c4fda29f621c010944244ae91ea5ecf1a7c1 |
| SHA512 | d46b25348922e116861f089e8191ff30d66673e50138c48a91bcae2b63bca74fc0fc5b74427d05084d95e0846e4c38c4c20b196bddbe6ebb49b8a8889f8d1309 |
memory/1316-89-0x00000000091E0000-0x00000000091E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\x86\turbojpeg.dll
| MD5 | 82898ed19da89d7d44e280a3ced95e9b |
| SHA1 | eec0af5733c642eac8c5e08479f462d1ec1ed4db |
| SHA256 | 5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29 |
| SHA512 | ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ba6ef346187b40694d493da98d5da979 |
| SHA1 | 643c15bec043f8673943885199bb06cd1652ee37 |
| SHA256 | d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73 |
| SHA512 | 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c |
\??\pipe\LOCAL\crashpad_2472_YIEINRBAMCKGUKKW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b8880802fc2bb880a7a869faa01315b0 |
| SHA1 | 51d1a3fa2c272f094515675d82150bfce08ee8d3 |
| SHA256 | 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812 |
| SHA512 | e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2df5cdf9ad7020a675fca2c787cc7fd0 |
| SHA1 | 370f68a576e998c5984f5c89f9c30720b3badd12 |
| SHA256 | 954503660e84cfee9300fece28c5e4f8226f1f3b093f7bbc92b101cafa38fcb8 |
| SHA512 | 05dab907e77460ca5902af80744d567da81042c75772d44ec9c7abbb6a6d513eb62d708c281eaa74b9b8e38e1a10c3cfb4d9574c88db5803dd5715ecedf62ff5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7154a4bcbd9481b2605ba6ceb413aad4 |
| SHA1 | 3799f30f903112a51a6f9a1271306d42e26e779d |
| SHA256 | 2a110ee391726afffd82d2f836847ac78f2e1eadd0c2eb57ebf8407ceafc2c0e |
| SHA512 | 3be5f4f7ab2d90450426da3551f87c6abafd13b99b629a147bcc01905590fc4018f86692bafea792dec2ea19f60b459d6398584709dc4a6c82bb8d9e060eee01 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 12894b06fe97d03b1d2deee03f165032 |
| SHA1 | 93cd95d8af9f3c783d495443c4373b351ef75783 |
| SHA256 | a290d638df18dcc5f782a0f9ea4fd70d5d7b549de4a7a794c9fe5f6038f26c2c |
| SHA512 | 4b34ded7861f87313b5f493715b47bf596148d445d16ff52fd7bcb45f34ca67fd57714330e8ca74b49993f6a12e6b086916ec99d075b8923d22c43d8ec664007 |