Analysis Overview
SHA256
fb4a1f7fffbe7cb26428ee7814ce93ad35cfe0f84a2116bf028b27179315e2c5
Threat Level: Known bad
The file Orcus RAT v1.3.1 Cracked by Wardow.rar was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcurs Rat Executable
Orcus family
Orcurs Rat Executable
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-14 18:15
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-14 18:15
Reported
2024-02-14 18:18
Platform
win10-20231220-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Orcus
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "2" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 780031000000000094574e591100557365727300640009000400efbe724a0b5d94574e592e000000320500000000010000000000000000003a00000000006f2a710055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 7e003100000000004e58039211004465736b746f7000680009000400efbe94574e594e5803922e000000965101000000010000000000000000003e0000000000c1331d014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e8005398e082303024b98265d99428e115f0000 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "5" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 54003100000000004e582092100073657276657200003e0009000400efbe4e5820924e5820922e0000000bac0100000007000000000000000000000000000000d45f5e00730065007200760065007200000016000000 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Orcus RAT v1.3.1 Cracked by Wardow.rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT v1.3.1 Cracked by Wardow.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe
"C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /select, "C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe
"C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe"
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe
"C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.exceptionless.io | udp |
| US | 52.149.199.118:443 | collector.exceptionless.io | tcp |
| US | 8.8.8.8:53 | 118.199.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | orcus.pw | udp |
| US | 8.8.8.8:53 | orcus.pw | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | orcus.pw | udp |
| US | 8.8.8.8:53 | collector.exceptionless.io | udp |
| US | 52.149.199.118:443 | collector.exceptionless.io | tcp |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp |
Files
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe
| MD5 | 5697edb282858da2e59edd1d93c8429d |
| SHA1 | b168804611f955eac26890acf6177e7252ee3aeb |
| SHA256 | 3d5c2977b83a2926738fe059eeba3282bd5fb34b915dcf0b768728fb7c294053 |
| SHA512 | eae540eaafd8c4085a14efc466a1291b05bf30e29a850a590cc5a695d4eadab7905d765d108f2e820a748357ab43ae82c69c7cc4a5a2cbda9ae201dfa08b898e |
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe.config
| MD5 | 2846ec087e67923c130a5b875193c893 |
| SHA1 | ab1049f2531941cb98e99e5f83e8fb6b5be3a7f4 |
| SHA256 | 148dc241bfa25e5fda9ebef2d315aa95121f9468da29dc167573f32f14733d08 |
| SHA512 | a332471ee3d01a13d6f7fd3516ce58e43ce7f6d7dbc0f6b8cc90b26d1be13b2b5b39ce76c29be753edbf5146eca92c02de2746f251918ac12a1cf103df1899de |
memory/4400-172-0x00000000732D0000-0x00000000739BE000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe
| MD5 | 04bd97282cb1e1a2f7a083c4d5b69f51 |
| SHA1 | 815b7c62204437b08334a38933f3f0fb3117e578 |
| SHA256 | 80eac96fc437c948ecb2944cf64a57223fe236c7c5a598a131d56f5ec1415cda |
| SHA512 | d5476e0a25576e22162155c0b9dca7b1a4950e5d51d502246c7932d2657122359d0d249bf40d32f93c8ee8dc6e89317598e62ee892f9137aeef32b65a5289f89 |
memory/4400-174-0x0000000000DC0000-0x0000000001E00000-memory.dmp
\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\nUpdate.dll
| MD5 | 253ba7f0427e3f8e032b97496a019a24 |
| SHA1 | 62793783943b04d8836746bb452145722cf63001 |
| SHA256 | 814eb85113211fa90efe952f35d06e537f01bf38febca48e2c0cef02ebdb1877 |
| SHA512 | 29f848f4293454a0103197cd3bb59e364df099b7a26f926673b30132ffe3d15b505fbfc3e0391482d9cd9ed53efd0f3193d0cdf83e0fb59ce3e27de878b83585 |
\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Exceptionless.Portable.dll
| MD5 | 6aba9f00d64371b940eedc21804ea9eb |
| SHA1 | 5fb0e520a23c780474b0866218c61ff55d083b3f |
| SHA256 | 22c949720dacd2dc19b7744185b18faf53dc18199c36af44158257a08ce7f3fd |
| SHA512 | 9166ff3cfd7adc334f3a98f4a40736c178a1c793f6ca264722bd1b962a3d059d88035eee1f45aab2b45a8692a13ef50c8e762c4c8600937b263fd7c2703185c0 |
memory/4400-182-0x0000000006D50000-0x0000000006E00000-memory.dmp
memory/4400-178-0x0000000006900000-0x0000000006B96000-memory.dmp
memory/4400-183-0x0000000007090000-0x00000000070A0000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\MahApps.Metro.dll
| MD5 | fb1e8eee84791cc015e043ab0ce32bba |
| SHA1 | 42fb789011213635a7d022ba4fd5461a0d9a134d |
| SHA256 | 0de72da4bc2d16d39c30368af880d754fa0bd9745897652ba50213e589d265c5 |
| SHA512 | 748af415c875cd5d44f305cf58060e7e66ef2ef041b6e86e3a76287a51af63116096eaed0877dc48c17da6594ad0c8dbf0ecadecb763dd469be8b6cc1d02d4a0 |
memory/4400-187-0x00000000070A0000-0x000000000718C000-memory.dmp
\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\MahApps.Metro.dll
| MD5 | 333cafef53d8bf8fa5ffc3e6f818888f |
| SHA1 | b7fe92c956e3cb48feeaeb9116bd0e2cdedc416d |
| SHA256 | 62c584321fa90ccf53451b3d33b98f715369d51d33573516d32d02b8d33a16a0 |
| SHA512 | 0d0961b32eeeed1350491c0060ab6d496067e64c6889aedaf648f07dd4fbf1198382fc06397c245656081de0deca8962a3ff19bcb5ec0474847149d24a1b239b |
\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\MahApps.Metro.dll
| MD5 | 3577f4c1dddd0bad112945e161f2bc46 |
| SHA1 | 970d8438859caf0ae7ea7541dfbe08128c1b8ce1 |
| SHA256 | 44b31fa706c6f01631dc2ce471cab34364773849b1f52f8e5ea77f5b4fd4719a |
| SHA512 | aee9b527db66f792ffb155bae0237cc755b694e23d87dd3bc6f41cfd3ae64133547e580b366d29101cfbf2d1bfc50cb92926e799308a0ced986f034423c3cc8d |
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Xceed.Wpf.Toolkit.dll
| MD5 | 96a320c552ce1152cd674895ffad9f10 |
| SHA1 | 7a345edab598a794d71d03cd36b78e1ce683e5c5 |
| SHA256 | fcadc89d8b2154008f96073da5562575c054e5520f8cd1ff5e292ffe7e67efd7 |
| SHA512 | 465032415e03c4eb27eb07c157139962d1a3f04619b4bc989bbc1455a62fb5491e7915ac5df9be83c3b17f7287086ab0de0d4caf0cb161f857f3eff05ff776dc |
memory/4400-191-0x00000000072A0000-0x00000000073A2000-memory.dmp
memory/4400-192-0x0000000006D10000-0x0000000006D2C000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Administration.Licensing.dll
| MD5 | d64bbaaf8b41253f0f78917a4eeaed5b |
| SHA1 | dd6237b90fa7c2a432779f40a1ea9a9354f95555 |
| SHA256 | dc8a8f7764231989b5955eff3234f5c9fb16ac28667b1c9738a2ec510eae9eab |
| SHA512 | 78e5911992bfc61728c5adc283c204531bc9dd9be851fb621aed854a7d9047dc82b54691eb809bcbc8bbc8a1676aa187915f63b457efb9d87c01af99b387617b |
memory/4400-196-0x0000000006D30000-0x0000000006D4C000-memory.dmp
memory/4400-197-0x0000000006D00000-0x0000000006D06000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Exceptionless.Extras.dll
| MD5 | d3fcd5038079ef42e23ed39a86af5a31 |
| SHA1 | 3977309df5b3ddc0218a800ee463ddcbcae7503e |
| SHA256 | 9d4ab0418d94d3c3d7025ecc1c70ce1762ee12aaa4d35666c2dc7887df53a537 |
| SHA512 | 8535e4b5b7b61cf31fe69bd43eb2ba4c2a248a2f2a6efcf9b1ffc9cf4d39b67dcb687d45964054b3900f5aa21662b4acc91302f02e99e819ac6f5827a0d493d0 |
memory/4400-201-0x0000000007070000-0x0000000007088000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\FluentCommandLineParser.dll
| MD5 | 9b5e37f89268ccce0e098222004093ad |
| SHA1 | 30b12174abda6a420b2cc152b5c682ff8f106c37 |
| SHA256 | fe068b6f15a5423f86558927dd22ec35070c041db9cde1ecade0590d93ca5285 |
| SHA512 | 23e8cbaa6103f5a76729ee8470b5b208d67be22c9b9fa78340055ac8ded04dc6147c8c50cde96f7c10b111f81cab3e5504227ac5b8f1a616c1a1384c6350257f |
memory/4400-205-0x000000000CFD0000-0x000000000CFE2000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Newtonsoft.Json.dll
| MD5 | c3c04754418382f505cafc18d64427f5 |
| SHA1 | cac5e36dc498d6bb16170020be021ff5bd18a9e2 |
| SHA256 | df8ec2e0245829ddec5b79f1918c3ae3a3fa540a5a0e3c410e2b6ef0bebc7927 |
| SHA512 | bda5efd0f69a9c7198841e5d31744fa2bebb05cedb1e2846a0d2dbce6c3193da69c181be1116f38cd5f3d61b441567b1da2c844522184323e3d429294aa91ab5 |
memory/4400-209-0x000000000D080000-0x000000000D106000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Sorzus.Wpf.Toolkit.dll
| MD5 | efc2bbca9bfe174475d17e62ea0f5b4d |
| SHA1 | 3d74ba1d65245fe86cbca4cff525856e9b1755a1 |
| SHA256 | 9f025d34cb7dc817df9f7f722c14eff6f2d95946ef24c486c7063d8ce9e0236f |
| SHA512 | 575a9700ea8d4fa1d470632c3654425c816b82c7a5f60c8c9787cc699961d95b2eee82ebedceaa77ec17a96329958235b3a94b6ee868e3a900bcae770506ef23 |
memory/4400-213-0x000000000D010000-0x000000000D022000-memory.dmp
\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\System.Windows.Interactivity.dll
| MD5 | 580244bc805220253a87196913eb3e5e |
| SHA1 | ce6c4c18cf638f980905b9cb6710ee1fa73bb397 |
| SHA256 | 93fbc59e4880afc9f136c3ac0976ada7f3faa7cacedce5c824b337cbca9d2ebf |
| SHA512 | 2666b594f13ce9df2352d10a3d8836bf447eaf6a08da528b027436bb4affaad9cd5466b4337a3eaf7b41d3021016b53c5448c7a52c037708cae9501db89a73f0 |
memory/4400-217-0x000000000D420000-0x000000000D430000-memory.dmp
memory/4400-218-0x000000000F8B0000-0x000000000F8B8000-memory.dmp
memory/4400-219-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/4400-220-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/4400-221-0x000000000F900000-0x000000000F938000-memory.dmp
memory/4400-222-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/4400-223-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/4400-224-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/4400-225-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/4400-226-0x00000000073F0000-0x0000000007412000-memory.dmp
memory/4400-227-0x0000000007BF0000-0x0000000007F40000-memory.dmp
memory/4400-229-0x0000000007F80000-0x0000000007F88000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Administration.Plugins.dll
| MD5 | a84b5a685aea35da3fd1d57764e93b07 |
| SHA1 | 259fc3ec2f3a21cea02d8e36217405cf00b28a39 |
| SHA256 | 3f62811c77d8d3d77affac5c59a77e49e149da3d18230f34992b9a3aea8fd32c |
| SHA512 | f800d79933d7f5fc5b70884d4c04e06ef3c470c25f5130656272f9c167e40460744ba9a0bee8966bdf4d1d2fd8a17f4a8e004ae29a9c823c6edca1c79a6cbad3 |
memory/4400-233-0x0000000007A60000-0x0000000007A6E000-memory.dmp
\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\NLog.dll
| MD5 | 27c2b96dfbebba578638588d2c95705f |
| SHA1 | 6223920526982da59a93ccb2d733e9bdbb1afbaf |
| SHA256 | a74414ee5a23d73d879c216d9cfd96a9a8ad048773fe689d8a8b3022c9869cdf |
| SHA512 | aa90ef4fef936a43c3413c90427668b7956742bb88eb2693d8dc23654952997771e702f5c0b8ffa04e8f0ef8e16809d8bb3ac1f007bc9989b039e78a1d2a6358 |
memory/4400-237-0x0000000007F90000-0x0000000008018000-memory.dmp
memory/4400-242-0x0000000007AC0000-0x0000000007AD2000-memory.dmp
memory/4400-241-0x0000000007A90000-0x0000000007A9A000-memory.dmp
\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Plugins.dll
| MD5 | 72212acea01c38f1e4bff4f8668e04b0 |
| SHA1 | 442bddf00b06a53c9567029ce313aebcace7563b |
| SHA256 | 182d65799f2c85f0fa1af4848b102f576b2867b1f9ede62208e236b41ea8d539 |
| SHA512 | 4eb6727e1e001364a218bceb42b5b8a0a1d6f1ae9fb361ed410454fe751f70391c6890383aceb959419a359d642c3fc18e2e0b79e5f309b8764a91f1dbc30e09 |
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\ApplicationAudioPack.orcplg
| MD5 | b8cd6b3141a11fa161b2039ded9dc0f1 |
| SHA1 | bdf56b2b8b84940699034a2afd9be6fca554d905 |
| SHA256 | c82a13255716c73b3ed9d89c48eb000d556e9690f4f830d444ffb64041f7e813 |
| SHA512 | deba05e0c5e077aba1b17985863abdbe115d7f9476a2902d6ddbed081b7632b79510601561276354516350553913d162333842a1e896af8af5b1dd5bc2c00b4f |
memory/4400-244-0x0000000008020000-0x00000000080D2000-memory.dmp
memory/4400-247-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/4400-246-0x0000000007B20000-0x0000000007B28000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\BSoDProtection.orcplg
| MD5 | 727dbdbe573b1ef41a2c2457d9d1b9a4 |
| SHA1 | b65d0ead80c87f7e4b6543c362c257185d5e33c3 |
| SHA256 | fe204d16f31a6b210343be7e52279f8abedf8587206503daa6f2c8f6224679f2 |
| SHA512 | 0b1530ca35d6772da20ef7018bd1f81554d9e2f1b9f30ea12db5c40f7f800712c88caa77b3df29e503ebd40b33d06cc16125eadab7804f974d659b2f6c577681 |
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\BuildPumper.orcplg
| MD5 | 595efdf47d3a392ec489defac02ad7cb |
| SHA1 | 40741f2a47c5f1f210f860c10fac7bedc4eb058d |
| SHA256 | 9fac7662c10a44f9870f42e1a5d407b31b0d7e4428b7ca95c28bc705625d0613 |
| SHA512 | a7c5bde085b6d9465cf01798631381e3eb73b9b93db8d06bb7ab7c759bef1a92fe8174b6faf2bfcc7b300d0c242bab2adc90c488ab36d257bbc34d56e8d41bcf |
memory/4400-249-0x0000000007B30000-0x0000000007B3A000-memory.dmp
memory/4400-251-0x0000000008300000-0x0000000008308000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\DisableWebcamLights.orcplg
| MD5 | 5f32cd5a2c08ec5504de906c6f598281 |
| SHA1 | 7adafa9de45c29b0e58c7df98f1c756ebf05dcb2 |
| SHA256 | f54ef6da320b5f66f3562e44a36bf0cea3848d452ebe2b53f7f5dbb28cd2b61b |
| SHA512 | f3f9affc5157a1ac09eea0f2075184d5649dcd8e49c888ead27e633faf543e30d4085997c0af0942398f64b3ef2a62a8a37028efcfa30b77f491e2d34fe34b72 |
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\EILoTIRiXAudioPack.orcplg
| MD5 | 31aafa3933fdab7683e889ec1038ad35 |
| SHA1 | d11f7fa55e2cf75ebbc6487468ed4b0674f1111d |
| SHA256 | 24aa9269afbac24251495bd0c86538b814089cdaa0aa77a2ef653d31dbc33bcd |
| SHA512 | e63ef239f6f58692f8b5c1fe4dd60e91f2892da696b8797437e4cbc6b7bddfeb0dbaaccee0be0185e50e05162b5cc141ee14da9aa153f26252bc7461d8da2da1 |
memory/4400-253-0x00000000086E0000-0x0000000008A22000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\ExceptionTest.orcplg
| MD5 | a5b3e031c0d6b20817422beb12bfc78f |
| SHA1 | e9a909e13889a2e6688782d3a290ac375ba4b528 |
| SHA256 | c66c8d3ae5f3af64ee34da2f7df88055e314fa1e9254aa9e2425e1f527db9e81 |
| SHA512 | f96ad64a771767bb626de49786f5adc4e94a56fa10f68588b9af06ae33dc2f73fade1fc9758ecbefd56a94a6a6221392addb6b9a2b1295f8f39940d7e760a509 |
memory/4400-255-0x0000000008310000-0x0000000008318000-memory.dmp
memory/4400-257-0x0000000008360000-0x000000000836A000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\ExtensionSpoofer.orcplg
| MD5 | 2e27ddbcd452e61fe204dc593e1846ff |
| SHA1 | 005a864ba1c68802218cfba31756a62193a3407e |
| SHA256 | ef736367bc542ca05bc3ca14455934b412a3f88564d022bb14c59f82d0433ba2 |
| SHA512 | 4bc127d9e21667b113df85f4beda96c00d1a5933c9f25d65ec6084b7efdec58500404eb394f648a5cfbbf50c4e32af0306686f978a09ad0f6a3212427b0ffcff |
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\GamerView.orcplg
| MD5 | 8b6269e7ca2180ffd4777552f2335760 |
| SHA1 | c809c7c37db0d73662f1034d6dfea63a7db0b229 |
| SHA256 | 8c0d48a0383af350f80c2dadd34e67bb8c0e2b4186871e59178715f0c4aa4d54 |
| SHA512 | 37c4323b10d663cad2c0869000dcfd47cc61a74c8e4fe2aeb5029e3d64a3301b3a32b32177aae382ecc3c2e68dc677ee362563eb305ac5003a688017db1d327f |
memory/4400-259-0x0000000008380000-0x0000000008394000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\MicrophoneRecorder.orcplg
| MD5 | 152544f1ffd1a61aadeb23fdf4078b0d |
| SHA1 | f3a65b9def674f4e139dcd92766e9df7280188b1 |
| SHA256 | bac443cf632829f3a946d79f35fe75fa6648949b7cc9b51ec7197691a3b84eee |
| SHA512 | 520da08cec73947a8cb66d2e4e70c3e5f2a5ab230d8cae95f9ea60961878166151ab5053fbfc11a2441680bad7b21e7c1222ff89a68c7e1d5a06d248b0c16388 |
memory/4400-261-0x0000000008A20000-0x0000000008A84000-memory.dmp
memory/4400-262-0x0000000008D70000-0x0000000008E02000-memory.dmp
\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Shared.Utilities.dll
| MD5 | 91a0c72dff49469e72b9b34ee2043cae |
| SHA1 | 63f6bad96d13f1be7684c519a990290210ae30ca |
| SHA256 | 6864ec4602362cd92ceecf9d29990b00c75236a8b76e57c78f436cd5e4fe9499 |
| SHA512 | c5baad326aa51ddb3ac867a8abdaa0df926f2dd9c6673d3f8af78217333676f36dac5a482769bb189bc8e6da527c2eae207b4fb87a2aa2c0a4e0980747633e7b |
memory/4400-266-0x0000000008A90000-0x0000000008A9C000-memory.dmp
\Users\Admin\AppData\Local\Temp\opus.dll
| MD5 | 1fc04b8bb4896745163df806695ee193 |
| SHA1 | 39174ce2fca9a3e86bb7a5686037bc42f2572de1 |
| SHA256 | 3f2b2fd440fdd84288dadfc63e37a4bc7ea0aae26889ab0d4a5ef6148f44ce14 |
| SHA512 | 3ff18bdd364f27e54ffbf2d1af53e3500ec57e7e8fa14185f7fb1ef6639d69ac6253543b9e2155ade45ca5bcd567e94334f1ee7ad0a7ff28194168dc49883261 |
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\NotificationCenter.orcplg
| MD5 | 307e0f115911e72fb3515cd3e974b802 |
| SHA1 | 23c392e92714df39f50411abc74210f973f13891 |
| SHA256 | e4b01417828da0489b97f1a6e3173b501cc510a1c14e5536f65b6f5929dc24e1 |
| SHA512 | cd8c9eb1068a7c0ca1c015575a71efaeb4a2a51f00003f011e6a00e862bf11d8f51632f97d2a351d17ad707b35a2b01d63beaea45176f3a87b28450a211e456d |
memory/4400-272-0x0000000008AA0000-0x0000000008AB2000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\OrcusPatcher.orcplg
| MD5 | d73970251dd27aab5d6bfb79b98e672f |
| SHA1 | 48e90e2224b492d4b3356b669614806f9bbaeff7 |
| SHA256 | 3051a1f1cd8c2984d56656fc7cda2bc63b57735dcf1a56c39a1d77e6196d3d38 |
| SHA512 | 5e6e7b40d5cc93aa12782974a6e19c5d8c28a05dc32195b0d1f6ff28f976bdfb79075aa8cc3cd22c760ba5ce611f8dfc0f99ff0509545510fd21da649cdab331 |
memory/4400-274-0x0000000008AB0000-0x0000000008AB8000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Mono.Cecil.dll
| MD5 | 6d6292bc8e698e53e69556add6f62442 |
| SHA1 | fab26eb07adab421797689da27ad754aa1c31810 |
| SHA256 | 0f6465ce57a0cbabc37013c8e3c9f110672de1c127b6192177d59eb1c7809772 |
| SHA512 | f77c995857bf3c62bd87cce4246d9792d388af33664fbabf05bfcf574ae9332c45013697be7f698bff6cd33b02573abcbeae172b53c75979339e01123c61ae32 |
memory/4400-278-0x0000000008D20000-0x0000000008D6A000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\Screamer.orcplg
| MD5 | c4fa0302349ea02d1a86e8c3538441a4 |
| SHA1 | 830cd230e1b53cc0b6eda814ddd8b1851b94e475 |
| SHA256 | 2c5b663d664e3e5fe58a27bf5148a35770f096005df2069af859fb2d4ce6959b |
| SHA512 | cf9fa52e7bf8f239b746d6a3cc95315dca89e00029e8a32c0b6372b11386a6805b7a47f09e56c85f24c8e2329e4cf54fb004a7509303b926ddbe27022d9b6bfc |
memory/4400-280-0x0000000008CD0000-0x0000000008CF2000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\ServerStressTest.orcplg
| MD5 | 4cec7a3155b93a82f1171e1b4a27ba44 |
| SHA1 | d3279fe76c74f30ff4a44e62383e2f67884e4fd9 |
| SHA256 | a1c433464b65db673ce7228aba3788a16f850cf4813e389f989b6fe04f1fc1af |
| SHA512 | 6e9efddfdcb68c0364605042e061845f3df6971328b12c6284e818549c54ddabd0fc7581ed5fe88aed239b58c5f24c6814681fbe3b70957e8f5134c6d09b234b |
memory/4400-282-0x0000000008CF0000-0x0000000008D02000-memory.dmp
memory/4400-283-0x000000000BF00000-0x000000000C3FE000-memory.dmp
memory/4400-284-0x0000000008E60000-0x0000000008E68000-memory.dmp
C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Shared.dll
| MD5 | a53a36353430ac1e93c6c23b70cb9119 |
| SHA1 | 035ba998d4d170aba3f15b9ae25e84d17fa71b13 |
| SHA256 | 10e68b31d88db3467c5b813adb1fb612498fcbf226cfa5759a26eda4b062ec17 |
| SHA512 | c9f7573a1519b316444092d1b01dc992516801a4c6d76afa25984473b7717a86934deb83c08012bec323fdd38345d23c1dcdc6ce188d1f27b26625fd0f0d13b6 |
memory/4400-287-0x0000000009220000-0x000000000926C000-memory.dmp
memory/4400-288-0x00000000079D0000-0x00000000079D8000-memory.dmp
memory/4400-292-0x0000000012CB0000-0x00000000131DC000-memory.dmp
memory/4400-301-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/2560-302-0x00000000003E0000-0x00000000005B2000-memory.dmp
memory/2560-303-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/2560-305-0x0000000004FA0000-0x0000000005162000-memory.dmp
memory/2560-306-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2560-307-0x0000000004F20000-0x0000000004F6B000-memory.dmp
memory/2560-311-0x0000000005630000-0x000000000566C000-memory.dmp
memory/2560-312-0x00000000055F0000-0x0000000005610000-memory.dmp
memory/4400-341-0x0000000006FE0000-0x0000000006FF0000-memory.dmp
memory/2560-349-0x0000000060900000-0x0000000060992000-memory.dmp
memory/4400-355-0x0000000007090000-0x00000000070A0000-memory.dmp
memory/2560-356-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/2560-358-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/2560-361-0x0000000060900000-0x0000000060992000-memory.dmp