Malware Analysis Report

2025-01-22 15:11

Sample ID 240214-wvx3qsae25
Target Orcus RAT v1.3.1 Cracked by Wardow.rar
SHA256 fb4a1f7fffbe7cb26428ee7814ce93ad35cfe0f84a2116bf028b27179315e2c5
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb4a1f7fffbe7cb26428ee7814ce93ad35cfe0f84a2116bf028b27179315e2c5

Threat Level: Known bad

The file Orcus RAT v1.3.1 Cracked by Wardow.rar was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-14 18:15

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 18:15

Reported

2024-02-14 18:18

Platform

win10-20231220-en

Max time kernel

149s

Max time network

138s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Orcus RAT v1.3.1 Cracked by Wardow.rar"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "2" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 780031000000000094574e591100557365727300640009000400efbe724a0b5d94574e592e000000320500000000010000000000000000003a00000000006f2a710055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 7e003100000000004e58039211004465736b746f7000680009000400efbe94574e594e5803922e000000965101000000010000000000000000003e0000000000c1331d014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e8005398e082303024b98265d99428e115f0000 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "5" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 54003100000000004e582092100073657276657200003e0009000400efbe4e5820924e5820922e0000000bac0100000007000000000000000000000000000000d45f5e00730065007200760065007200000016000000 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Orcus RAT v1.3.1 Cracked by Wardow.rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT v1.3.1 Cracked by Wardow.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe

"C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" /select, "C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe

"C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\server\Orcus.Server.CommandLine.exe"

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe

"C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 collector.exceptionless.io udp
US 52.149.199.118:443 collector.exceptionless.io tcp
US 8.8.8.8:53 118.199.149.52.in-addr.arpa udp
US 8.8.8.8:53 orcus.pw udp
US 8.8.8.8:53 orcus.pw udp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:10134 tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 orcus.pw udp
US 8.8.8.8:53 collector.exceptionless.io udp
US 52.149.199.118:443 collector.exceptionless.io tcp
N/A 127.0.0.1:10134 tcp
N/A 127.0.0.1:10134 tcp

Files

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe

MD5 5697edb282858da2e59edd1d93c8429d
SHA1 b168804611f955eac26890acf6177e7252ee3aeb
SHA256 3d5c2977b83a2926738fe059eeba3282bd5fb34b915dcf0b768728fb7c294053
SHA512 eae540eaafd8c4085a14efc466a1291b05bf30e29a850a590cc5a695d4eadab7905d765d108f2e820a748357ab43ae82c69c7cc4a5a2cbda9ae201dfa08b898e

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe.config

MD5 2846ec087e67923c130a5b875193c893
SHA1 ab1049f2531941cb98e99e5f83e8fb6b5be3a7f4
SHA256 148dc241bfa25e5fda9ebef2d315aa95121f9468da29dc167573f32f14733d08
SHA512 a332471ee3d01a13d6f7fd3516ce58e43ce7f6d7dbc0f6b8cc90b26d1be13b2b5b39ce76c29be753edbf5146eca92c02de2746f251918ac12a1cf103df1899de

memory/4400-172-0x00000000732D0000-0x00000000739BE000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\Orcus.Administration.exe

MD5 04bd97282cb1e1a2f7a083c4d5b69f51
SHA1 815b7c62204437b08334a38933f3f0fb3117e578
SHA256 80eac96fc437c948ecb2944cf64a57223fe236c7c5a598a131d56f5ec1415cda
SHA512 d5476e0a25576e22162155c0b9dca7b1a4950e5d51d502246c7932d2657122359d0d249bf40d32f93c8ee8dc6e89317598e62ee892f9137aeef32b65a5289f89

memory/4400-174-0x0000000000DC0000-0x0000000001E00000-memory.dmp

\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\nUpdate.dll

MD5 253ba7f0427e3f8e032b97496a019a24
SHA1 62793783943b04d8836746bb452145722cf63001
SHA256 814eb85113211fa90efe952f35d06e537f01bf38febca48e2c0cef02ebdb1877
SHA512 29f848f4293454a0103197cd3bb59e364df099b7a26f926673b30132ffe3d15b505fbfc3e0391482d9cd9ed53efd0f3193d0cdf83e0fb59ce3e27de878b83585

\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Exceptionless.Portable.dll

MD5 6aba9f00d64371b940eedc21804ea9eb
SHA1 5fb0e520a23c780474b0866218c61ff55d083b3f
SHA256 22c949720dacd2dc19b7744185b18faf53dc18199c36af44158257a08ce7f3fd
SHA512 9166ff3cfd7adc334f3a98f4a40736c178a1c793f6ca264722bd1b962a3d059d88035eee1f45aab2b45a8692a13ef50c8e762c4c8600937b263fd7c2703185c0

memory/4400-182-0x0000000006D50000-0x0000000006E00000-memory.dmp

memory/4400-178-0x0000000006900000-0x0000000006B96000-memory.dmp

memory/4400-183-0x0000000007090000-0x00000000070A0000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\MahApps.Metro.dll

MD5 fb1e8eee84791cc015e043ab0ce32bba
SHA1 42fb789011213635a7d022ba4fd5461a0d9a134d
SHA256 0de72da4bc2d16d39c30368af880d754fa0bd9745897652ba50213e589d265c5
SHA512 748af415c875cd5d44f305cf58060e7e66ef2ef041b6e86e3a76287a51af63116096eaed0877dc48c17da6594ad0c8dbf0ecadecb763dd469be8b6cc1d02d4a0

memory/4400-187-0x00000000070A0000-0x000000000718C000-memory.dmp

\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\MahApps.Metro.dll

MD5 333cafef53d8bf8fa5ffc3e6f818888f
SHA1 b7fe92c956e3cb48feeaeb9116bd0e2cdedc416d
SHA256 62c584321fa90ccf53451b3d33b98f715369d51d33573516d32d02b8d33a16a0
SHA512 0d0961b32eeeed1350491c0060ab6d496067e64c6889aedaf648f07dd4fbf1198382fc06397c245656081de0deca8962a3ff19bcb5ec0474847149d24a1b239b

\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\MahApps.Metro.dll

MD5 3577f4c1dddd0bad112945e161f2bc46
SHA1 970d8438859caf0ae7ea7541dfbe08128c1b8ce1
SHA256 44b31fa706c6f01631dc2ce471cab34364773849b1f52f8e5ea77f5b4fd4719a
SHA512 aee9b527db66f792ffb155bae0237cc755b694e23d87dd3bc6f41cfd3ae64133547e580b366d29101cfbf2d1bfc50cb92926e799308a0ced986f034423c3cc8d

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Xceed.Wpf.Toolkit.dll

MD5 96a320c552ce1152cd674895ffad9f10
SHA1 7a345edab598a794d71d03cd36b78e1ce683e5c5
SHA256 fcadc89d8b2154008f96073da5562575c054e5520f8cd1ff5e292ffe7e67efd7
SHA512 465032415e03c4eb27eb07c157139962d1a3f04619b4bc989bbc1455a62fb5491e7915ac5df9be83c3b17f7287086ab0de0d4caf0cb161f857f3eff05ff776dc

memory/4400-191-0x00000000072A0000-0x00000000073A2000-memory.dmp

memory/4400-192-0x0000000006D10000-0x0000000006D2C000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Administration.Licensing.dll

MD5 d64bbaaf8b41253f0f78917a4eeaed5b
SHA1 dd6237b90fa7c2a432779f40a1ea9a9354f95555
SHA256 dc8a8f7764231989b5955eff3234f5c9fb16ac28667b1c9738a2ec510eae9eab
SHA512 78e5911992bfc61728c5adc283c204531bc9dd9be851fb621aed854a7d9047dc82b54691eb809bcbc8bbc8a1676aa187915f63b457efb9d87c01af99b387617b

memory/4400-196-0x0000000006D30000-0x0000000006D4C000-memory.dmp

memory/4400-197-0x0000000006D00000-0x0000000006D06000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Exceptionless.Extras.dll

MD5 d3fcd5038079ef42e23ed39a86af5a31
SHA1 3977309df5b3ddc0218a800ee463ddcbcae7503e
SHA256 9d4ab0418d94d3c3d7025ecc1c70ce1762ee12aaa4d35666c2dc7887df53a537
SHA512 8535e4b5b7b61cf31fe69bd43eb2ba4c2a248a2f2a6efcf9b1ffc9cf4d39b67dcb687d45964054b3900f5aa21662b4acc91302f02e99e819ac6f5827a0d493d0

memory/4400-201-0x0000000007070000-0x0000000007088000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\FluentCommandLineParser.dll

MD5 9b5e37f89268ccce0e098222004093ad
SHA1 30b12174abda6a420b2cc152b5c682ff8f106c37
SHA256 fe068b6f15a5423f86558927dd22ec35070c041db9cde1ecade0590d93ca5285
SHA512 23e8cbaa6103f5a76729ee8470b5b208d67be22c9b9fa78340055ac8ded04dc6147c8c50cde96f7c10b111f81cab3e5504227ac5b8f1a616c1a1384c6350257f

memory/4400-205-0x000000000CFD0000-0x000000000CFE2000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Newtonsoft.Json.dll

MD5 c3c04754418382f505cafc18d64427f5
SHA1 cac5e36dc498d6bb16170020be021ff5bd18a9e2
SHA256 df8ec2e0245829ddec5b79f1918c3ae3a3fa540a5a0e3c410e2b6ef0bebc7927
SHA512 bda5efd0f69a9c7198841e5d31744fa2bebb05cedb1e2846a0d2dbce6c3193da69c181be1116f38cd5f3d61b441567b1da2c844522184323e3d429294aa91ab5

memory/4400-209-0x000000000D080000-0x000000000D106000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Sorzus.Wpf.Toolkit.dll

MD5 efc2bbca9bfe174475d17e62ea0f5b4d
SHA1 3d74ba1d65245fe86cbca4cff525856e9b1755a1
SHA256 9f025d34cb7dc817df9f7f722c14eff6f2d95946ef24c486c7063d8ce9e0236f
SHA512 575a9700ea8d4fa1d470632c3654425c816b82c7a5f60c8c9787cc699961d95b2eee82ebedceaa77ec17a96329958235b3a94b6ee868e3a900bcae770506ef23

memory/4400-213-0x000000000D010000-0x000000000D022000-memory.dmp

\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\System.Windows.Interactivity.dll

MD5 580244bc805220253a87196913eb3e5e
SHA1 ce6c4c18cf638f980905b9cb6710ee1fa73bb397
SHA256 93fbc59e4880afc9f136c3ac0976ada7f3faa7cacedce5c824b337cbca9d2ebf
SHA512 2666b594f13ce9df2352d10a3d8836bf447eaf6a08da528b027436bb4affaad9cd5466b4337a3eaf7b41d3021016b53c5448c7a52c037708cae9501db89a73f0

memory/4400-217-0x000000000D420000-0x000000000D430000-memory.dmp

memory/4400-218-0x000000000F8B0000-0x000000000F8B8000-memory.dmp

memory/4400-219-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/4400-220-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/4400-221-0x000000000F900000-0x000000000F938000-memory.dmp

memory/4400-222-0x00000000732D0000-0x00000000739BE000-memory.dmp

memory/4400-223-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/4400-224-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/4400-225-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/4400-226-0x00000000073F0000-0x0000000007412000-memory.dmp

memory/4400-227-0x0000000007BF0000-0x0000000007F40000-memory.dmp

memory/4400-229-0x0000000007F80000-0x0000000007F88000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Administration.Plugins.dll

MD5 a84b5a685aea35da3fd1d57764e93b07
SHA1 259fc3ec2f3a21cea02d8e36217405cf00b28a39
SHA256 3f62811c77d8d3d77affac5c59a77e49e149da3d18230f34992b9a3aea8fd32c
SHA512 f800d79933d7f5fc5b70884d4c04e06ef3c470c25f5130656272f9c167e40460744ba9a0bee8966bdf4d1d2fd8a17f4a8e004ae29a9c823c6edca1c79a6cbad3

memory/4400-233-0x0000000007A60000-0x0000000007A6E000-memory.dmp

\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\NLog.dll

MD5 27c2b96dfbebba578638588d2c95705f
SHA1 6223920526982da59a93ccb2d733e9bdbb1afbaf
SHA256 a74414ee5a23d73d879c216d9cfd96a9a8ad048773fe689d8a8b3022c9869cdf
SHA512 aa90ef4fef936a43c3413c90427668b7956742bb88eb2693d8dc23654952997771e702f5c0b8ffa04e8f0ef8e16809d8bb3ac1f007bc9989b039e78a1d2a6358

memory/4400-237-0x0000000007F90000-0x0000000008018000-memory.dmp

memory/4400-242-0x0000000007AC0000-0x0000000007AD2000-memory.dmp

memory/4400-241-0x0000000007A90000-0x0000000007A9A000-memory.dmp

\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Plugins.dll

MD5 72212acea01c38f1e4bff4f8668e04b0
SHA1 442bddf00b06a53c9567029ce313aebcace7563b
SHA256 182d65799f2c85f0fa1af4848b102f576b2867b1f9ede62208e236b41ea8d539
SHA512 4eb6727e1e001364a218bceb42b5b8a0a1d6f1ae9fb361ed410454fe751f70391c6890383aceb959419a359d642c3fc18e2e0b79e5f309b8764a91f1dbc30e09

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\ApplicationAudioPack.orcplg

MD5 b8cd6b3141a11fa161b2039ded9dc0f1
SHA1 bdf56b2b8b84940699034a2afd9be6fca554d905
SHA256 c82a13255716c73b3ed9d89c48eb000d556e9690f4f830d444ffb64041f7e813
SHA512 deba05e0c5e077aba1b17985863abdbe115d7f9476a2902d6ddbed081b7632b79510601561276354516350553913d162333842a1e896af8af5b1dd5bc2c00b4f

memory/4400-244-0x0000000008020000-0x00000000080D2000-memory.dmp

memory/4400-247-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/4400-246-0x0000000007B20000-0x0000000007B28000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\BSoDProtection.orcplg

MD5 727dbdbe573b1ef41a2c2457d9d1b9a4
SHA1 b65d0ead80c87f7e4b6543c362c257185d5e33c3
SHA256 fe204d16f31a6b210343be7e52279f8abedf8587206503daa6f2c8f6224679f2
SHA512 0b1530ca35d6772da20ef7018bd1f81554d9e2f1b9f30ea12db5c40f7f800712c88caa77b3df29e503ebd40b33d06cc16125eadab7804f974d659b2f6c577681

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\BuildPumper.orcplg

MD5 595efdf47d3a392ec489defac02ad7cb
SHA1 40741f2a47c5f1f210f860c10fac7bedc4eb058d
SHA256 9fac7662c10a44f9870f42e1a5d407b31b0d7e4428b7ca95c28bc705625d0613
SHA512 a7c5bde085b6d9465cf01798631381e3eb73b9b93db8d06bb7ab7c759bef1a92fe8174b6faf2bfcc7b300d0c242bab2adc90c488ab36d257bbc34d56e8d41bcf

memory/4400-249-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/4400-251-0x0000000008300000-0x0000000008308000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\DisableWebcamLights.orcplg

MD5 5f32cd5a2c08ec5504de906c6f598281
SHA1 7adafa9de45c29b0e58c7df98f1c756ebf05dcb2
SHA256 f54ef6da320b5f66f3562e44a36bf0cea3848d452ebe2b53f7f5dbb28cd2b61b
SHA512 f3f9affc5157a1ac09eea0f2075184d5649dcd8e49c888ead27e633faf543e30d4085997c0af0942398f64b3ef2a62a8a37028efcfa30b77f491e2d34fe34b72

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\EILoTIRiXAudioPack.orcplg

MD5 31aafa3933fdab7683e889ec1038ad35
SHA1 d11f7fa55e2cf75ebbc6487468ed4b0674f1111d
SHA256 24aa9269afbac24251495bd0c86538b814089cdaa0aa77a2ef653d31dbc33bcd
SHA512 e63ef239f6f58692f8b5c1fe4dd60e91f2892da696b8797437e4cbc6b7bddfeb0dbaaccee0be0185e50e05162b5cc141ee14da9aa153f26252bc7461d8da2da1

memory/4400-253-0x00000000086E0000-0x0000000008A22000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\ExceptionTest.orcplg

MD5 a5b3e031c0d6b20817422beb12bfc78f
SHA1 e9a909e13889a2e6688782d3a290ac375ba4b528
SHA256 c66c8d3ae5f3af64ee34da2f7df88055e314fa1e9254aa9e2425e1f527db9e81
SHA512 f96ad64a771767bb626de49786f5adc4e94a56fa10f68588b9af06ae33dc2f73fade1fc9758ecbefd56a94a6a6221392addb6b9a2b1295f8f39940d7e760a509

memory/4400-255-0x0000000008310000-0x0000000008318000-memory.dmp

memory/4400-257-0x0000000008360000-0x000000000836A000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\ExtensionSpoofer.orcplg

MD5 2e27ddbcd452e61fe204dc593e1846ff
SHA1 005a864ba1c68802218cfba31756a62193a3407e
SHA256 ef736367bc542ca05bc3ca14455934b412a3f88564d022bb14c59f82d0433ba2
SHA512 4bc127d9e21667b113df85f4beda96c00d1a5933c9f25d65ec6084b7efdec58500404eb394f648a5cfbbf50c4e32af0306686f978a09ad0f6a3212427b0ffcff

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\GamerView.orcplg

MD5 8b6269e7ca2180ffd4777552f2335760
SHA1 c809c7c37db0d73662f1034d6dfea63a7db0b229
SHA256 8c0d48a0383af350f80c2dadd34e67bb8c0e2b4186871e59178715f0c4aa4d54
SHA512 37c4323b10d663cad2c0869000dcfd47cc61a74c8e4fe2aeb5029e3d64a3301b3a32b32177aae382ecc3c2e68dc677ee362563eb305ac5003a688017db1d327f

memory/4400-259-0x0000000008380000-0x0000000008394000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\MicrophoneRecorder.orcplg

MD5 152544f1ffd1a61aadeb23fdf4078b0d
SHA1 f3a65b9def674f4e139dcd92766e9df7280188b1
SHA256 bac443cf632829f3a946d79f35fe75fa6648949b7cc9b51ec7197691a3b84eee
SHA512 520da08cec73947a8cb66d2e4e70c3e5f2a5ab230d8cae95f9ea60961878166151ab5053fbfc11a2441680bad7b21e7c1222ff89a68c7e1d5a06d248b0c16388

memory/4400-261-0x0000000008A20000-0x0000000008A84000-memory.dmp

memory/4400-262-0x0000000008D70000-0x0000000008E02000-memory.dmp

\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Shared.Utilities.dll

MD5 91a0c72dff49469e72b9b34ee2043cae
SHA1 63f6bad96d13f1be7684c519a990290210ae30ca
SHA256 6864ec4602362cd92ceecf9d29990b00c75236a8b76e57c78f436cd5e4fe9499
SHA512 c5baad326aa51ddb3ac867a8abdaa0df926f2dd9c6673d3f8af78217333676f36dac5a482769bb189bc8e6da527c2eae207b4fb87a2aa2c0a4e0980747633e7b

memory/4400-266-0x0000000008A90000-0x0000000008A9C000-memory.dmp

\Users\Admin\AppData\Local\Temp\opus.dll

MD5 1fc04b8bb4896745163df806695ee193
SHA1 39174ce2fca9a3e86bb7a5686037bc42f2572de1
SHA256 3f2b2fd440fdd84288dadfc63e37a4bc7ea0aae26889ab0d4a5ef6148f44ce14
SHA512 3ff18bdd364f27e54ffbf2d1af53e3500ec57e7e8fa14185f7fb1ef6639d69ac6253543b9e2155ade45ca5bcd567e94334f1ee7ad0a7ff28194168dc49883261

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\NotificationCenter.orcplg

MD5 307e0f115911e72fb3515cd3e974b802
SHA1 23c392e92714df39f50411abc74210f973f13891
SHA256 e4b01417828da0489b97f1a6e3173b501cc510a1c14e5536f65b6f5929dc24e1
SHA512 cd8c9eb1068a7c0ca1c015575a71efaeb4a2a51f00003f011e6a00e862bf11d8f51632f97d2a351d17ad707b35a2b01d63beaea45176f3a87b28450a211e456d

memory/4400-272-0x0000000008AA0000-0x0000000008AB2000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\OrcusPatcher.orcplg

MD5 d73970251dd27aab5d6bfb79b98e672f
SHA1 48e90e2224b492d4b3356b669614806f9bbaeff7
SHA256 3051a1f1cd8c2984d56656fc7cda2bc63b57735dcf1a56c39a1d77e6196d3d38
SHA512 5e6e7b40d5cc93aa12782974a6e19c5d8c28a05dc32195b0d1f6ff28f976bdfb79075aa8cc3cd22c760ba5ce611f8dfc0f99ff0509545510fd21da649cdab331

memory/4400-274-0x0000000008AB0000-0x0000000008AB8000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Mono.Cecil.dll

MD5 6d6292bc8e698e53e69556add6f62442
SHA1 fab26eb07adab421797689da27ad754aa1c31810
SHA256 0f6465ce57a0cbabc37013c8e3c9f110672de1c127b6192177d59eb1c7809772
SHA512 f77c995857bf3c62bd87cce4246d9792d388af33664fbabf05bfcf574ae9332c45013697be7f698bff6cd33b02573abcbeae172b53c75979339e01123c61ae32

memory/4400-278-0x0000000008D20000-0x0000000008D6A000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\Screamer.orcplg

MD5 c4fa0302349ea02d1a86e8c3538441a4
SHA1 830cd230e1b53cc0b6eda814ddd8b1851b94e475
SHA256 2c5b663d664e3e5fe58a27bf5148a35770f096005df2069af859fb2d4ce6959b
SHA512 cf9fa52e7bf8f239b746d6a3cc95315dca89e00029e8a32c0b6372b11386a6805b7a47f09e56c85f24c8e2329e4cf54fb004a7509303b926ddbe27022d9b6bfc

memory/4400-280-0x0000000008CD0000-0x0000000008CF2000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\plugins\ServerStressTest.orcplg

MD5 4cec7a3155b93a82f1171e1b4a27ba44
SHA1 d3279fe76c74f30ff4a44e62383e2f67884e4fd9
SHA256 a1c433464b65db673ce7228aba3788a16f850cf4813e389f989b6fe04f1fc1af
SHA512 6e9efddfdcb68c0364605042e061845f3df6971328b12c6284e818549c54ddabd0fc7581ed5fe88aed239b58c5f24c6814681fbe3b70957e8f5134c6d09b234b

memory/4400-282-0x0000000008CF0000-0x0000000008D02000-memory.dmp

memory/4400-283-0x000000000BF00000-0x000000000C3FE000-memory.dmp

memory/4400-284-0x0000000008E60000-0x0000000008E68000-memory.dmp

C:\Users\Admin\Desktop\Orcus RAT v1.3.1 Cracked by Wardow\libraries\Orcus.Shared.dll

MD5 a53a36353430ac1e93c6c23b70cb9119
SHA1 035ba998d4d170aba3f15b9ae25e84d17fa71b13
SHA256 10e68b31d88db3467c5b813adb1fb612498fcbf226cfa5759a26eda4b062ec17
SHA512 c9f7573a1519b316444092d1b01dc992516801a4c6d76afa25984473b7717a86934deb83c08012bec323fdd38345d23c1dcdc6ce188d1f27b26625fd0f0d13b6

memory/4400-287-0x0000000009220000-0x000000000926C000-memory.dmp

memory/4400-288-0x00000000079D0000-0x00000000079D8000-memory.dmp

memory/4400-292-0x0000000012CB0000-0x00000000131DC000-memory.dmp

memory/4400-301-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/2560-302-0x00000000003E0000-0x00000000005B2000-memory.dmp

memory/2560-303-0x00000000732D0000-0x00000000739BE000-memory.dmp

memory/2560-305-0x0000000004FA0000-0x0000000005162000-memory.dmp

memory/2560-306-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/2560-307-0x0000000004F20000-0x0000000004F6B000-memory.dmp

memory/2560-311-0x0000000005630000-0x000000000566C000-memory.dmp

memory/2560-312-0x00000000055F0000-0x0000000005610000-memory.dmp

memory/4400-341-0x0000000006FE0000-0x0000000006FF0000-memory.dmp

memory/2560-349-0x0000000060900000-0x0000000060992000-memory.dmp

memory/4400-355-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/2560-356-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/2560-358-0x00000000732D0000-0x00000000739BE000-memory.dmp

memory/2560-361-0x0000000060900000-0x0000000060992000-memory.dmp