orcus | 994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7v20210410
submitted
26-05-2021 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorant Script.bat.exe
Size

1.4MB
MD5

637b3b849ab42985bd2bc59982202df9
SHA1

359dab386ed04c7e9bf1dac6af68ff4b70ee6d71
SHA256

994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c
SHA512

db676cc9cc802d57093b6a71a4cba36e84b93e3ca57c421dc3998c219d711cbdadb3537db2d60b94ad14da5cce1c484a59d8d98ddff112715840d218f1d55488

Score

10^/10

orcus lol rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

lol

isnadsknsbs-38398.portmap.host:12201

Mutex

e1b8920439fc43a68e4d8395e70dc516

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 6 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	family_orcus
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	family_orcus
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 6 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	orcus
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	orcus
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus

Executes dropped EXE 7 IoCs

Processes:

ROBLOX BUCKS AND MOD MENU.EXEWindowsInput.exeWindowsInput.exeOrcus.exeOrcus.exeOrcusWatchdog.exeOrcusWatchdog.exe

pid	process
1192	ROBLOX BUCKS AND MOD MENU.EXE
1812	WindowsInput.exe
1684	WindowsInput.exe
1480	Orcus.exe
1204	Orcus.exe
1992	OrcusWatchdog.exe
1784	OrcusWatchdog.exe

Loads dropped DLL 1 IoCs

Processes:

Valorant Script.bat.exe

pid process

1084 Valorant Script.bat.exe

pid	process
1084	Valorant Script.bat.exe

Drops file in System32 directory 3 IoCs

Processes:

WindowsInput.exeROBLOX BUCKS AND MOD MENU.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	ROBLOX BUCKS AND MOD MENU.EXE

Drops file in Program Files directory 4 IoCs

Processes:

ROBLOX BUCKS AND MOD MENU.EXEValorant Script.bat.exe

description	ioc	process
File opened for modification	C:\Program Files\Orcus\Orcus.exe	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Program Files\Orcus\Orcus.exe.config	ROBLOX BUCKS AND MOD MENU.EXE
File created	C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE	Valorant Script.bat.exe
File created	C:\Program Files\Orcus\Orcus.exe	ROBLOX BUCKS AND MOD MENU.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OrcusWatchdog.exeOrcus.exe

pid	process
1784	OrcusWatchdog.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1480	Orcus.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe
1480	Orcus.exe
1784	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Orcus.exeOrcusWatchdog.exeOrcusWatchdog.exe

description pid process

Token: SeDebugPrivilege 1480 Orcus.exe
Token: SeDebugPrivilege 1992 OrcusWatchdog.exe
Token: SeDebugPrivilege 1784 OrcusWatchdog.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

1480 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

1480 Orcus.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Orcus.exe

pid process

1480 Orcus.exe

description	pid	process
Token: SeDebugPrivilege	1480	Orcus.exe
Token: SeDebugPrivilege	1992	OrcusWatchdog.exe
Token: SeDebugPrivilege	1784	OrcusWatchdog.exe

pid	process
1480	Orcus.exe

pid	process
1480	Orcus.exe

pid	process
1480	Orcus.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Valorant Script.bat.exeROBLOX BUCKS AND MOD MENU.EXEcsc.exetaskeng.exeOrcus.exeOrcusWatchdog.exe

description	pid	process	target process
PID 1084 wrote to memory of 1192	1084	Valorant Script.bat.exe	ROBLOX BUCKS AND MOD MENU.EXE
PID 1084 wrote to memory of 1192	1084	Valorant Script.bat.exe	ROBLOX BUCKS AND MOD MENU.EXE
PID 1084 wrote to memory of 1192	1084	Valorant Script.bat.exe	ROBLOX BUCKS AND MOD MENU.EXE
PID 1084 wrote to memory of 1192	1084	Valorant Script.bat.exe	ROBLOX BUCKS AND MOD MENU.EXE
PID 1192 wrote to memory of 1988	1192	ROBLOX BUCKS AND MOD MENU.EXE	csc.exe
PID 1192 wrote to memory of 1988	1192	ROBLOX BUCKS AND MOD MENU.EXE	csc.exe
PID 1192 wrote to memory of 1988	1192	ROBLOX BUCKS AND MOD MENU.EXE	csc.exe
PID 1988 wrote to memory of 1844	1988	csc.exe	cvtres.exe
PID 1988 wrote to memory of 1844	1988	csc.exe	cvtres.exe
PID 1988 wrote to memory of 1844	1988	csc.exe	cvtres.exe
PID 1192 wrote to memory of 1812	1192	ROBLOX BUCKS AND MOD MENU.EXE	WindowsInput.exe
PID 1192 wrote to memory of 1812	1192	ROBLOX BUCKS AND MOD MENU.EXE	WindowsInput.exe
PID 1192 wrote to memory of 1812	1192	ROBLOX BUCKS AND MOD MENU.EXE	WindowsInput.exe
PID 1192 wrote to memory of 1480	1192	ROBLOX BUCKS AND MOD MENU.EXE	Orcus.exe
PID 1192 wrote to memory of 1480	1192	ROBLOX BUCKS AND MOD MENU.EXE	Orcus.exe
PID 1192 wrote to memory of 1480	1192	ROBLOX BUCKS AND MOD MENU.EXE	Orcus.exe
PID 1276 wrote to memory of 1204	1276	taskeng.exe	Orcus.exe
PID 1276 wrote to memory of 1204	1276	taskeng.exe	Orcus.exe
PID 1276 wrote to memory of 1204	1276	taskeng.exe	Orcus.exe
PID 1480 wrote to memory of 1992	1480	Orcus.exe	OrcusWatchdog.exe
PID 1480 wrote to memory of 1992	1480	Orcus.exe	OrcusWatchdog.exe
PID 1480 wrote to memory of 1992	1480	Orcus.exe	OrcusWatchdog.exe
PID 1480 wrote to memory of 1992	1480	Orcus.exe	OrcusWatchdog.exe
PID 1992 wrote to memory of 1784	1992	OrcusWatchdog.exe	OrcusWatchdog.exe
PID 1992 wrote to memory of 1784	1992	OrcusWatchdog.exe	OrcusWatchdog.exe
PID 1992 wrote to memory of 1784	1992	OrcusWatchdog.exe	OrcusWatchdog.exe
PID 1992 wrote to memory of 1784	1992	OrcusWatchdog.exe	OrcusWatchdog.exe

C:\Users\Admin\AppData\Local\Temp\Valorant Script.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant Script.bat.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE
  "C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eve-pgls.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA4D.tmp"
      4⤵
      PID:1844
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1812
- - C:\Program Files\Orcus\Orcus.exe
    "C:\Program Files\Orcus\Orcus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1480 /protectFile
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 1480 "/protectFile"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\taskeng.exe
taskeng.exe {AEB53CCD-17F5-4434-921E-C9779C301641} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files\Orcus\Orcus.exe

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files\Orcus\Orcus.exe

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files\Orcus\Orcus.exe

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA4E.tmp

MD5
1f817fb209839738127534e27dcaf9ba

SHA1
de213c3f973fda3335dc50fbfb0303b8860d890b

SHA256
a79b3296ab2e2d2fb57ef8ba510023a876fb2bc4679d35d7ab3c7a272241bc64

SHA512
2c2254443891061600687b858b094bf0d862d0dd97289160b9be82142a0a896b26662a5d8eb26f85440abc594cf4346f269a48465429f055c0f4301aefb083c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eve-pgls.dll

MD5
4c2ada29f006b499425d68af43028603

SHA1
0ac37d1fe4d5c34298f65a898b1bf9946663ffa5

SHA256
0014cab3c33942b714b3fd8481f03ec0953eab043f5bc1dd1eb5e68d900db2fd

SHA512
1ba660102c80df5fcaa1ed0780b77806bd2cc1b5f21d6dc35c8320c1b42474648931ba2340a0f55a970c2046a8a9369d4780c9966acbec4e89bcae4cc638e67b

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA4D.tmp

MD5
71d543d3551ad526f86aa57780fd1d42

SHA1
9fa8719f64a06b0d70ad108ddde284831bd542d7

SHA256
f1abe75edd206eb5ad5e22eb3df22186e67d41be39d44861a73b2364960f1d1e

SHA512
302ac56e99954eb9d6308f6a117eec24fd5fe9d6f00df5469676f54fc7799f5a3997712b24b9e661842a68d1c8da9b8329eaee49b04d223f3a3baf5d137fcf62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eve-pgls.0.cs

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eve-pgls.cmdline

MD5
ee0e0737a94e5bde89b1747cb548e7f1

SHA1
21eaa45031fc6a83b2543e8a095746b80b4feb06

SHA256
9df3dbd1c05c650bb87db18c12e84d19b467c5068e16f7bf00ca69f478801fe6

SHA512
761a05c711c574ed371fa2ce1e81a03d6162d21c3f09d2253971d105b83cb9f05847ab14850f923adcf7f29931175dcf0438ae0deebe003f6d3611b6ec66d6e5

Download Submit
\Program Files (x86)\ROBLOX BUCKS AND MOD MENU.EXE

MD5
6a228de0a2eea8adff599cfed2148f0c

SHA1
c4dd51264523448daec780f7e6d6d83de50e7e18

SHA256
c66658f01b33fb69daedb14c6a47d3105d6a6900fe261ffa75025a9ee26c2e24

SHA512
0df4437047bc8f92a18b7ed9fea0d99f52f93d3b6d2701b7ec40dac495e8e35147a87295e270d4910f14894c491db114509a30d1f0d87b1fabfe917184dc7f88

Download Submit
memory/1084-59-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1192-64-0x000007FEF2640000-0x000007FEF36D6000-memory.dmp

Filesize
16.6MB

Download
memory/1192-65-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/1192-61-0x0000000000000000-mapping.dmp

Download
memory/1204-113-0x000000001A890000-0x000000001A892000-memory.dmp

Filesize
8KB

Download
memory/1204-99-0x0000000000000000-mapping.dmp

Download
memory/1480-97-0x0000000000990000-0x00000000009A5000-memory.dmp

Filesize
84KB

Download
memory/1480-112-0x000000001B068000-0x000000001B087000-memory.dmp

Filesize
124KB

Download
memory/1480-92-0x000000001A810000-0x000000001A86A000-memory.dmp

Filesize
360KB

Download
memory/1480-93-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1480-94-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1480-95-0x0000000000B60000-0x0000000000BA8000-memory.dmp

Filesize
288KB

Download
memory/1480-96-0x000000001B060000-0x000000001B062000-memory.dmp

Filesize
8KB

Download
memory/1480-85-0x0000000000000000-mapping.dmp

Download
memory/1480-98-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/1480-111-0x000000001B062000-0x000000001B064000-memory.dmp

Filesize
8KB

Download
memory/1480-90-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1684-86-0x0000000019A30000-0x0000000019A32000-memory.dmp

Filesize
8KB

Download
memory/1784-115-0x0000000000000000-mapping.dmp

Download
memory/1812-77-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1812-73-0x0000000000000000-mapping.dmp

Download
memory/1812-83-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/1844-69-0x0000000000000000-mapping.dmp

Download
memory/1988-81-0x00000000022F0000-0x00000000022F2000-memory.dmp

Filesize
8KB

Download
memory/1988-66-0x0000000000000000-mapping.dmp

Download
memory/1992-105-0x0000000000000000-mapping.dmp

Download
memory/1992-109-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download