orcus | faa87251336d864b877a5e6c3e9c9a5e250318be2fdfc8a42ceadb3a956e0405

Analysis

max time kernel
1467s
max time network
1419s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7z2408.exe
Size

1.3MB
MD5

d646419d462f0206a3341aef0aa5e3c7
SHA1

eb4b809bbf91804e9bb17be36e9469818601ed91
SHA256

faa87251336d864b877a5e6c3e9c9a5e250318be2fdfc8a42ceadb3a956e0405
SHA512

7f6c46c780fcb5fc10cc5405221179ddecbbb871c578ca3d9e3a74141271b383bd83e8f9d75c98d7e9d406e9b935d52a6b04913d654169e0b30f0719225e7dd9
SSDEEP

24576:0AkPEo1y9fcw5K42KmEDCesqTvbdWZWz08ZuEzamDoyhbxGC7eBRak0a7IU9F0:0AJoo24xVWerHkZWAbFWoyhiakn7IU9S

Score

10^/10

orcus credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

10.127.1.0:5555

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
wireguard
watchdog_path
AppData\wireguard.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002368c-1683.dat	family_orcus
behavioral1/files/0x00080000000236b9-1703.dat	family_orcus

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Orcurs Rat Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x000700000002368c-1683.dat	orcus
behavioral1/memory/6136-1686-0x0000000014900000-0x000000001570E000-memory.dmp	orcus
behavioral1/files/0x00080000000236b9-1703.dat	orcus
behavioral1/memory/3336-2074-0x0000000000C10000-0x0000000000CFE000-memory.dmp	orcus

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Orcus.Administration.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wireguard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Orcus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wireguard.exe

Executes dropped EXE 10 IoCs

pid	Process
5468	Orcus.Server.exe
6136	Orcus.Administration.exe
3336	wireguard.exe
5060	WindowsInput.exe
2252	WindowsInput.exe
4224	Orcus.exe
3980	Orcus.exe
4248	wireguard.exe
4044	wireguard.exe
5528	Orcus.exe

Loads dropped DLL 57 IoCs

pid	Process
5468	Orcus.Server.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe
6136	Orcus.Administration.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	wireguard.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	wireguard.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	wireguard.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eu.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fur.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ro.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zG.exe	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fi.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\id.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\co.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fa.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fi.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hi.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lv.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uz.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\af.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\bn.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cs.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\7z.exe	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fy.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ku.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ro.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uz.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\es.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ga.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hu.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mng.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ca.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ext.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kab.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lv.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\cs.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kab.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kk.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pa-in.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tk.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\va.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\az.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mn.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tr.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\an.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hu.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\id.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\is.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\it.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\7zCon.sfx	7z2408.exe
File created	C:\Program Files (x86)\7-Zip\History.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ru.txt	7z2408.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tk.txt	7z2408.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0	Orcus.Administration.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	7z2408.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 84003100000000001a59ea781100444f574e4c4f7e3100006c0009000400efbe02597d631a59eb782e0000006ee1010000000100000000000000000042000000000092a7680044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 5a003100000000001a59ea7810004f726375735241540000420009000400efbe1a59ea781a59ea782e0000000236020000000800000000000000000000000000000092a768004f007200630075007300520041005400000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Orcus.Administration.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Orcus.Administration.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	Orcus.Administration.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Orcus.Administration.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\OrcusRAT.7z:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2828	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	Orcus.exe
4224	Orcus.exe
4224	Orcus.exe
4224	Orcus.exe
4044	wireguard.exe
4044	wireguard.exe
4044	wireguard.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4044	wireguard.exe
4224	Orcus.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4224	Orcus.exe
4044	wireguard.exe
4044	wireguard.exe
4224	Orcus.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4044	wireguard.exe
4224	Orcus.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe
4224	Orcus.exe
4044	wireguard.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4940	firefox.exe
4224	Orcus.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: 33	5616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5616	AUDIODG.EXE
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeRestorePrivilege	6136	7zG.exe
Token: 35	6136	7zG.exe
Token: SeSecurityPrivilege	6136	7zG.exe
Token: SeSecurityPrivilege	6136	7zG.exe
Token: SeDebugPrivilege	5468	Orcus.Server.exe
Token: SeDebugPrivilege	6136	Orcus.Administration.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	3336	wireguard.exe
Token: SeDebugPrivilege	4224	Orcus.exe
Token: SeDebugPrivilege	4248	wireguard.exe
Token: SeDebugPrivilege	4044	wireguard.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe
Token: SeDebugPrivilege	4940	firefox.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
6136	7zG.exe
5468	Orcus.Server.exe
4940	firefox.exe
4224	Orcus.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
5468	Orcus.Server.exe
4224	Orcus.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
6136	Orcus.Administration.exe
2828	explorer.exe
2828	explorer.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4224	Orcus.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 1336 wrote to memory of 4940	1336	firefox.exe	99
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 2040	4940	firefox.exe	100
PID 4940 wrote to memory of 404	4940	firefox.exe	101
PID 4940 wrote to memory of 404	4940	firefox.exe	101
PID 4940 wrote to memory of 404	4940	firefox.exe	101
PID 4940 wrote to memory of 404	4940	firefox.exe	101
PID 4940 wrote to memory of 404	4940	firefox.exe	101
PID 4940 wrote to memory of 404	4940	firefox.exe	101
PID 4940 wrote to memory of 404	4940	firefox.exe	101
PID 4940 wrote to memory of 404	4940	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7z2408.exe
"C:\Users\Admin\AppData\Local\Temp\7z2408.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de5b8e4b-8698-49a9-93d8-7ebd21501927} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" gpu
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b03e826-6f25-4f6d-a9e8-415b4cebaa63} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" socket
    3⤵
    PID:404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2916 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80e8f48a-8d67-431d-9086-b22b37c83705} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:1536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3868 -childID 2 -isForBrowser -prefsHandle 3844 -prefMapHandle 3836 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc1c7d11-0155-428a-8ee7-647ba90c4721} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3652 -prefMapHandle 1440 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96cead87-8c27-431e-bd49-02783d1ab344} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" utility
    3⤵
    - Checks processor information in registry
    PID:2116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5256 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12394c0d-f0ec-4ca1-b6a1-aa1c4552f7f1} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92e1f4cc-bc91-45ba-8161-dcd53e8ee3ab} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e97058a-3583-41a7-a91b-e1ece9cf3684} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4600 -childID 6 -isForBrowser -prefsHandle 4624 -prefMapHandle 4620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf3a9c28-421a-43ac-ac32-2f556b5fe912} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -childID 7 -isForBrowser -prefsHandle 2684 -prefMapHandle 4752 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10fbd163-6d69-4451-93fc-f87eb0adb292} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6380 -childID 8 -isForBrowser -prefsHandle 6372 -prefMapHandle 6280 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4180ff40-318a-4ea4-b312-2dc060a79d89} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1444 -childID 9 -isForBrowser -prefsHandle 4780 -prefMapHandle 6296 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed1b5eed-d951-47b2-93ea-e13572513ca5} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6912 -childID 10 -isForBrowser -prefsHandle 5976 -prefMapHandle 6944 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23fee062-50df-42b9-9d8c-98fe1e48ad1f} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:4772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7268 -childID 11 -isForBrowser -prefsHandle 6804 -prefMapHandle 1176 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc2d5aeb-3863-4aaa-9ae8-9be2ba5ff23d} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:4020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8700 -childID 12 -isForBrowser -prefsHandle 8088 -prefMapHandle 8092 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1277793b-aa2c-4739-bc55-c6465b9308db} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:1516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -childID 13 -isForBrowser -prefsHandle 1444 -prefMapHandle 8812 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0152754-4a6c-4619-b9fe-2b6bfec8f2ca} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9016 -childID 14 -isForBrowser -prefsHandle 9096 -prefMapHandle 9092 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {961f95c0-3569-49b7-b5c6-2918c32ff2f2} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:3744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3412

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\OrcusRAT\" -ad -an -ai#7zMap24575:76:7zEvent26857
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6136

C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\Orcus.Server.exe
"C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\Orcus.Server.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5468

C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\Orcus.Administration.exe
"C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\Orcus.Administration.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6136
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /select, "C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\wireguard.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\wireguard.exe
"C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\wireguard.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3336
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5060
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4224
- - C:\Users\Admin\AppData\Roaming\wireguard.exe
    "C:\Users\Admin\AppData\Roaming\wireguard.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 4224
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
  - - C:\Users\Admin\AppData\Roaming\wireguard.exe
      "C:\Users\Admin\AppData\Roaming\wireguard.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 4224
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4044

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2252

C:\Program Files (x86)\Orcus\Orcus.exe
"C:\Program Files (x86)\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3980

C:\Program Files (x86)\Orcus\Orcus.exe
"C:\Program Files (x86)\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

Filesize
45KB

MD5
95facc7bbc0d2f7df3a050e3298da2bb

SHA1
46c647ba741cd337be16878f6c5aa9cffc1f5208

SHA256
aec92e50d4974ff27cbefcbca3e49c742df2e7f0a9946befd0b4c0cb71ebbb6c

SHA512
6ad34100399dbb2f3b4b1c734f81f67fe31f572e5256e007bbbb073ccb12188320736c66bd28089892f5534dbf469ed9b9a6f3fb62ba3aaa008ad62717ff3d8a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\doomed\26607

Filesize
15KB

MD5
07a0f3456182771a94384d351f123c76

SHA1
16af840d1fb329ec1db5b605203bd1af8f85770a

SHA256
a108ed5f81778e7d2b1058de110db518d6cfacf5570f151f163ad2bb30781192

SHA512
009a11adb89f0f1fa291a7046823b9184d7d766de4afef95103e859e68d4b8bb0d5c65906ed672efe01b0e5bde3b57c5992c655b0fb33695aca350c41c2e7416

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\doomed\26682

Filesize
9KB

MD5
44ee55766d15b3261b5348157cf492df

SHA1
70f5037740583b9ed45f4fcd77f49759260cba1c

SHA256
ec775eeb8096a51650994fa8d2e638e3c49373e855c4a2d68d1b698c24f2b78f

SHA512
e2788848eebfa7597bf993ad10863073cb703046159098a62b7cbe142415e5e6d07c0ef4942f5e1e31b61706ff8f9e7b941b55660a1e12a543d5cfbd99e704a3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\882184CD8136FD72D1C4FA4B4D392A0ECE213D89

Filesize
158KB

MD5
4b3b8a7f9b9980e5a984ce70b134d22c

SHA1
4f82215d092971583dc870cc02c8257ad6659865

SHA256
517d86feb700c854a39c2ea6de993abfdd4d8d6c3c184ac3263b05ced79e5e35

SHA512
256f14c5c356294a0b12e72079f08970f5bf08ba7cef69736c8d9a2c3637cee4fcf00c2bcb1f0f33afc6c18863a7f18d8df72ea98e094775b549407c42c1527e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\21E29AD7CD88FD3C37963FFA4C49AEB2\32\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
15KB

MD5
67a5c985a5d786a2fda828506f0a8b4c

SHA1
834965c820d09d16b8f9a8b4ed686e6c5a1b96c8

SHA256
bef7d96dcec630c1f55a27060ffaeaa3cf7d1d982e50c605c495f8757050cd0f

SHA512
099eb00688e7b4ec70f39ef0f40cfef05d6bdadffeed132477a2239604ae55587af2458258f3322f10f356f5ad2e9088d59061ec4197306fbb5ac0a9a84d88c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
15KB

MD5
e8361e14c55e4735a0fc015b7aa1e6b0

SHA1
f658dfe9d2abd78cdec2df5328953893ebbe8ce8

SHA256
160f2d360afc252ec9d57cf4c34034b840c3ec3e41de3ab7a9d2282df23affb8

SHA512
c894c6542ee0a6eada608cc0517e8a41ea69309726021fb4ad829700198894c77c7a6191c542146418e0efe5e79b5f232358c6405d92661866fb2f2c1af54b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JTGAEZDPRGM1OKLX22DE.temp

Filesize
13KB

MD5
bd831529b6b0aa02268d27b7b7209cfc

SHA1
7bc5af94646ef94ad769883faa07fce37974abc1

SHA256
0a43a89627fa088cbe5669e842169764018131bb07321dc13407ddd7408219bc

SHA512
0381bfcbe65af3cd1ed1bd39fecd46d1fb05e158e4af224cf017a084b2baecc4aafbc7f575b6ee2b1718cd6e8ec12177bfa1b03a347f2af29b0e05f4d37224a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
8KB

MD5
7186e842f09f4073c6e2969b4579c85b

SHA1
02e3690b8d817fd0dd2878e5d22de2f7b0802be7

SHA256
6a1b44268e8d8045b76c0c829ac4b321d6d0a921f85be7c6b53f4248c31f0d49

SHA512
c888d6787c20d2f7a49fb3e1a2a912e9e2825a9763e0d770815baf4aa2a5a7c771c30e58392979affecb66eec8861592b5949a3cd4faf3fc47f7302a163b3ef4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\bookmarkbackups\bookmarks-2024-08-26_11_2GxRujYiZcnlpEJcTnMLXA==.jsonlz4

Filesize
1007B

MD5
a48f6c92c707d501aabd41be38ac8155

SHA1
56c49e256ef8f9665a21bcf9c27afca0c89bb87f

SHA256
4a86885385ee3e074e484b0217520366a7d954c395d0cacd4ac0f03832f932e5

SHA512
0b321a7bcfc7da5fedd48692f66bca266f2d9ea4197b331b3492118fd355e6a8e58d9f7f9a7e2746c64bb443fc945fefd3c1517c27c23e65d1fde3cc813c77bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
9ed3ca309c9334bd7e51cd3331f12584

SHA1
e1858127b2ca7a7d8ddd8e7d92d14cfd47010e86

SHA256
7bf92f3b2ed6510e21bc561429f8abe503a55362cf97e3c424de734c05d04bd2

SHA512
4ff1a894d97f2e949752805ca7a44719948246adc2669d65c575a9d4335605529ffca7ede18b41195c3ddd86aec9f62bf13cae525b78a22aef9dc3a0fa9bc1c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
45KB

MD5
a693494a50147f2ee3f46851ffa25b59

SHA1
3494f9208585c96c3b6e67e53950210ed7853875

SHA256
82175b2d722982e7064ff23b9bc54d3a69616ead28b4db207cb058d9b455072b

SHA512
f20c8f4e1b72c6f0fbac5aacaa8192e8e8fbccbec8119ab508780964d5c4178a6e49d61111175d39bd2095c0fde5d8b1f921b4384818b45749dd4e79d097982e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
45KB

MD5
4f7d52e8fea530da624c6fa11ab5829b

SHA1
485b8337f4113685ae0bd2e90f94acf7ecf403e1

SHA256
abbc758b8813120f421ecef29d36d91b0ecb92139415095f4d2a2bd5edb7bcbe

SHA512
79243eb82c4bc3bd49973f118ca89d51a587202d906c0a2087bf7a88861b9fcf2d09fb3e5c65083872d0d959f1edea8503df644e01f00e77c08d438058fdf1a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
46KB

MD5
5a6ddf0e6a2777258072aa4e3ab81afb

SHA1
669691f8df9fe666b0703d92d4a679b711e12b96

SHA256
d0f3d90d1035b8d6ea030d2ec2c309cc90bb36fa44dd63f017e5480420273c07

SHA512
a6df5ed7cb5b22686dcc115a3f4b6643de37631b76b4f03350d1e9a09266b8f9063f29db0d18ec256499535073bdaf9a9fa1508aba939918b582b64710a2b706

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
50KB

MD5
95ac883509d0f7368f387af5114545a2

SHA1
89a36a3c8dad771623784a79476b5dae604efb46

SHA256
8f9945016998bba1c6216f9ed50875ad6c409ccf67e75279c6eed1c479fd0c31

SHA512
fcfc9ab86efc12f2d13d96c62da4b2f99d926d00cc48bce8fb99e2867d251191e3af84ab6af032f8357155102fc207c73dfc7cecd5eed0282a55dac47a2d9560

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\7ddc2539-4a75-4c9b-9ff2-2164ed099ab7

Filesize
982B

MD5
53c8a124ffcf7e2fd2fbf01347336768

SHA1
fcf3a52209b725e70f7883d5837ab9436591d38a

SHA256
924833d637206ea3c763e5afef756c03a926814edf1f7987947a20a6def12a5e

SHA512
87624a3e8ac91265f763c7da2516cbd254ef491470870d591f45e965240f79f49be9f8a727be53a1acbd5e09fb275a8122e95b60ef067384ab57f0d1928fd542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\db1cbf1d-feea-44ae-bc2a-4e1922af618c

Filesize
671B

MD5
83189679c200b239fdb9933de61edd1e

SHA1
144837d7d977007fa8df5f1cd84e6ec028ed6cf2

SHA256
6eb95521aa4b604095ad02bfe99839eeb60c80a0c0c8068d0160e2a8872f9106

SHA512
3ff7a7a7897ebba100ee2de06fac66bc75cebaf0fdb9ce0dd2de8bcdb96f9142b5699e25469cec6f2ad5c1c21544079c9fcb057f942270d8b30c218fc3831569

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\fae9e4b8-6372-42d2-9eaa-0bb9056a6207

Filesize
25KB

MD5
9a6d2861739205b297a265d036d2d365

SHA1
c2ac22c108f3ac68a0c2c2116547bd634155cfc1

SHA256
c3cf633ded7da4974ffab73544713c1710f362a394518d8a39f36303c6d3b109

SHA512
276f39653ce17a769429769cae649c5fbc8561ee86800773961780483b7698730c6ed70da98ebbacba12228eac4d864bcfe190a8b39eb91fba9147f71320ad30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
11KB

MD5
ad49146c4b2caac761008e84d123b79a

SHA1
a4ad407768271729a0b8df4301c4a42c649b07ab

SHA256
12c16d248160e1aa4edbeee2655cd5e6019160e5d51cad9ca4bc6421986cad54

SHA512
4159d9b07dd677bcf0f463e57b2d5a44ff5a87aa208540a66e264b95fb5e52f12ba433c475c03aa817f9009c2c415f9051aacdaf1cfda0420bf29abddcbf8f39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
13KB

MD5
a13022740ed69ffc3d7f1bd14b0dc496

SHA1
855dc6a2a0ee82aaf2fa0cf70d7700a6e26b3d86

SHA256
8e88269893bb112535b3bccfb3edb8dc7ffe3d81fe0a023e8cee7d0bf4df63b9

SHA512
b452a7d7695ae8a16d56cf8174c148413298dd839b76da5bd86ed30e3c0ffaf15363a8febd81e04f894dc6482605594f5c07705f02b080fa7aa1d9f05320d922

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
11KB

MD5
1c4b7b740c7fdee3f5f3c685d246369e

SHA1
3126e93aa1cf8834a99f56073517e6ec37b88717

SHA256
bcec5315e38f0b3760750448d8741db28c844554c3a7b8c41e72578baacdce6c

SHA512
48c5ceee1c6364a94e0de9e771ab898559cd6808c1629e45906678ed7b4339f4516cd67b3fee1292468b1a7ad68252855c296cdf7185c1b0796c21feb3db5ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
bbd10164f68db4d8ba9f56ece94b89e0

SHA1
d0b4db1bfa4781429230986ace089144f44345ff

SHA256
9c8d5e42e5c231f9bb86a40cca176a0e9e5c1cc59873127df1167344482e5145

SHA512
826ae719b1c78f770c4ebe1f0af223d1faf738215ad55fbdf75c6325e8567c5fb996b71806a71a73e4e97ffd59a6d161cef26a299af687c29fd90ff578a065fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
de8ace402587437e4b75f850cca7b72f

SHA1
227214218996dd925735caf40e2fb7cc71573fa6

SHA256
431e079e4bd2385d9da88eaaf0e594f5f7fb15c0bf6ec3362ecc735554f9c463

SHA512
a7b54e980fe8dae341676e0d6d703257299e91923b6c0c7343a1bf6c33a70a3200b3a62b1536afc57b714286a6f2abef9b3f380faf088d52a6bbfdfc59d97085

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
051a29eaa3ed8750edc0058d43c72bf3

SHA1
c9e7df10e14954e90663584e7b19196aed414c5d

SHA256
54ec042d6400eccb4f45cf6b228ad1f79674f47cf8f3acab28a90fa45f246c88

SHA512
5f7809f9ff2622ecf49f8659ec5277a0191e8e9f4da2de671864893a1a8bd593d08dd5ccc30c32514f52404886239fec279980feae026a5aa5a6839d2947aad4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ea484f84c3b9971eabd8345fea66b546

SHA1
d497b90744459a4b57762dd38b2f634fd9117214

SHA256
28a9e1d17fe0ff001f45464a435ff8cecd1c9277ea56389e69ed8c2114309614

SHA512
ed886342cc4b37d59ed268cabd2e67e60a45c6ad255e6a2ca5e9d72799ea0e6d8fdf9554273ed313486a4b902a872ed4dbb166c0bd10eed88c62282d0b821c37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
3669e08f0afb68551ad76dbb58a0767d

SHA1
94e8ac68432189e58cddf11b84e9c053d190159e

SHA256
e35914fcf3a1256cc33f90bdf6c88afaab3cc329f0ef08cd3f9dd2661df8a2c8

SHA512
afcc0fece3bc848719e4490a880d44081165fc09047a59220ebbb3fc0fbd45b26c4d0bb3f3b30194f24985260587a59b68dc42c5edfc40794c44cf218a94b060

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
b02714897e15b3d5a2c8323dc151ddd3

SHA1
112d8f20becb8e1f50ed0bc4069ed56de2c93468

SHA256
b51b6ba6da3f438a588da507333c0deae77602e3436f50685adb534090d2ccab

SHA512
6f63a8de03427a74a76b8156345a06460a55de507c84bde15f94784aaae59e032b288adc3825c4b029fec0f7728c5a9c16f2975cd66182982fe2de9f0367744d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
62d7ff891d88f25d3a658302e417e5ac

SHA1
263e60201f09b5988bac7c5c2edb75f9b685645c

SHA256
75eecb2efd4f9bcf1de0e9d19069a14c12237fa35ac2b280c2cbd73a93c4f187

SHA512
46ed30f0b6f69ddf57e23286531c10f417842a8dc05ced4f41104012cf63af9bc4f069c78e9126a77425b20ff8ceae58706ad90af4b21c9f4392c0a32dd5abba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
094ce8e67a51d26801e1012a13f48890

SHA1
f7f8a3697a076ab2616394a25af959644ad4bc78

SHA256
ff3e90f56d06935260044157fb1b1458778dde29530aade4a0e57a85e2892e21

SHA512
a4b74efe23ef0a530bcb0653bd4d517ab14ad635a4a1c11742683bc97887a353ea598b5cb60f5e14eb5f1fb97b94ed212861817bfc1279cefa038fe8ce890878

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
e442c01043be5fa862414297598b80e6

SHA1
b9db0e9e4e0d1767f36c9563636b4d6b52a91dd4

SHA256
942378f0d7f5bfebd52edd86eb289ad8dac75169cea6a38761e8dc2f0b45c2a8

SHA512
dabb3698a661a03d7a9daf8ec706edd8e975407f7154968dc07fdfe852afe932218e6de0a6fd238be42b8e4ed8d5aa4f223aafebe2724cbb4be8a6e154fcda89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
368a2636bbee4e535f60032fd43eac43

SHA1
3a6e8e148983605e5ab1cedac9fb556391a8ae46

SHA256
d1b767fcd44ed7806e6dbf50e88b8a8978b37ea8ee9be25def30205e6c0f49b0

SHA512
741b32eb7080eecd4b6c52e507a27ab9686ef81505588a593679f21984213c575f3fb771a2f4fbb9bea59663dc75871a986da147c171d4fd08f4a7475ec22548

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
f093739e2f36b93f9692d61a321b9661

SHA1
5fdef0c76ce253b1a21e7e0982dd516582f9469b

SHA256
59263e4f1c7a2a031308853ede0f462fe4d46deff6e24f9ad400d4754ad75f85

SHA512
2a0daeefe3ad129a9fe23879af5c32639293ed6b80fba03595ca68d90fd4f64dd994555ae91feb47c9ac7b92aff11094b7672594ef716b31ce2eaaff8092bb14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
99598f2731cd908fab17b41617190d10

SHA1
4d2d13428b795039502732540a85dfe9847938b2

SHA256
d265ae9ec9cfa3b717a5c1c3137066cab3d446a88398854d462e5ce8c85acff9

SHA512
96466ce5a625d75915a26c1bed96247bc198ffb58247e7235fa697128047e7cd612c90de85cb4252d69c2a17aa8b0ef095259e48cacf5021ad50f8f1061f2b73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
4e3d4219627ea47f7f1eec6a3779a0e1

SHA1
9c903bf708c85173a771386367cf3677c6c7fe86

SHA256
862ca0ab565c3cc2a779051c0edd0a73f148930a5043446986bf19283572ec8d

SHA512
511707ca11baa7a219b56ff53905b5c5ec9fe8757ffbe57fcea3b68386d89cfb53d5d5577a7cabe82d9679dfed9a935644a09b3b327ef2e3d805bed59f6830de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
e4a601819e104fe38e99da0010eac347

SHA1
e0bfaece79fe309e1c3b1152230f329907c4165b

SHA256
8ea28edc6db74a31153c5171f6ca2311799712b89fa780a778363ed1202e9c3a

SHA512
99a4ddd967b75c3de09712df7e9d89ddd30c79517ba714b35ed0a04a82ebafe90a9d739b6e1c438a129fad5d8034e86f50b46da152327cf7ff4e8ec41c0f79d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\default\https+++mega.nz\cache\morgue\61\{758d5d3a-f551-4e6a-8237-bb2458cef33d}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
c6549ab4f555bfb7dbef4d1234ef39be

SHA1
815cc566c2c55d6e576f6bf1fd948970c7145dbc

SHA256
4541a9e2b196985de86c24e783c61b8f63e36cd59e5f6b2a153365f37c02f88d

SHA512
f1a8e4f388d548e84adcc34735999e2bba44f6978a7454cf425c2d48fa813664518e98c42b45156a69f718a4ab00a9ed7c7039eb976c0b2fe5d1200600591094

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
600KB

MD5
67545dae91302dd6775ebe59f833e866

SHA1
a76c1672d709e09bb3fc3a6d28c95c1f4b77a31e

SHA256
bc41cc9fad2e4bda64f8347376460c3e26dc43bd01686698b6f5dac07c97e130

SHA512
404df058ca669a6e12ce03eeaefcc715f2e46f1757f12a46ebec47536f07a666a24125dfc0732004edffb085f234c8583309311d18af44ce73968885c2e2d11d

Download Submit
C:\Users\Admin\AppData\Roaming\wireguard.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\Downloads\OrcusRAT.wOWGbHOI.7z.part

Filesize
21.6MB

MD5
56b267c137ae52bb5bfd01d62e6e9f95

SHA1
dbca02d965c3fb4ee40de6572016a389be2ee2d8

SHA256
3ad5f2990414da79e320ea8f2ded41993adf0e2d0e0eefb11ab085f7e55f320c

SHA512
e0707e843eed02cc54326c85c0caa1b1006569f8f1f8ad45fc39d7504d8bde6e422b746c599a6ae2d78fda941a4d444d343510a2e0eb95a86d5d8c3780f6d286

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\Orcus.Administration.exe

Filesize
4.0MB

MD5
cc3670f1b3e60e00b43c86d787563a44

SHA1
4f1f8908f0ca7dc5ad01c3029206cc8c9d735e09

SHA256
9ca18641bc6b48708e4314b3f8275860aef6b9ea16cd6230d781f0abaa84c853

SHA512
684e584d8f2c6ace168760faacdd6ef44fbb85ec519805046e7d183ccf9faf4eb6764b84326aba0a90223a5b8354c3f9d055cf2297416b4562ca417924da9442

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\Orcus.Administration.exe.config

Filesize
1KB

MD5
d689a8f25c2be9024f4841123b3e4053

SHA1
22070d67b9edb78f63bae994dc17d6ae001e6cd1

SHA256
7383bcefafa33afd801befed53528cf8b1f16eff9233ac106c3297cc5d54df1f

SHA512
e2245628f91bc7368599716d84f2fe7680bd998ec4a3b4f9ce17e4d993648672c139f7878f22f03776571e7462095046747cf5e46cc8c3aad02d51512c2038b9

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\CSCore.dll

Filesize
516KB

MD5
dde3ec6e17bc518b10c99efbd09ab72e

SHA1
a2306e60b74b8a01a0dbc1199a7fffca288f2033

SHA256
60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8

SHA512
09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Exceptionless.Signed.dll

Filesize
722KB

MD5
1b0128f8b2bf3aafec28817c2031dc70

SHA1
b3ae68cb40a7fa82105e82d292d3e037f1a8d50f

SHA256
98672dfd5c31b77afebc9853539a828836ec72e7d9b0d5f5f5267ad2ebda16ba

SHA512
40e340ef2ed967aa055fd053c80b69a09404a70e97a63aec5598c992c907ac2af40934b6cc81c0980291ab4e89ec16e6eb47e7bc0fb587b4bc2c13d8e26497d7

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\FluentCommandLineParser.dll

Filesize
43KB

MD5
9b5e37f89268ccce0e098222004093ad

SHA1
30b12174abda6a420b2cc152b5c682ff8f106c37

SHA256
fe068b6f15a5423f86558927dd22ec35070c041db9cde1ecade0590d93ca5285

SHA512
23e8cbaa6103f5a76729ee8470b5b208d67be22c9b9fa78340055ac8ded04dc6147c8c50cde96f7c10b111f81cab3e5504227ac5b8f1a616c1a1384c6350257f

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\GongSolutions.Wpf.DragDrop.dll

Filesize
66KB

MD5
21e4c0b33f44d13cdf91b4faf828c044

SHA1
13b8f124a0ad69b135da714d2cc656923ebd66e1

SHA256
508e1187d1a42cf9d7a2d7eab9012fc1fd75a24b6d94d9fa636d81dc38c4fcbb

SHA512
f96c12db8626850fd6ec243f68f8c6e7834e53effa8afa2365d136531d3b4008546cf9921dd5118a1f3dad176f34fad4aca03d3cfb617875c63316350693ae25

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\MahApps.Metro.IconPacks.Material.dll

Filesize
1.1MB

MD5
d8e627aadfb6dfed292be0672faa9f15

SHA1
2a7f51711bffd75ecb2d7ff2f510c89eecd16366

SHA256
97f4ca8c89ee13b8c249ca6f929d067ba3e87be07b4afa372fdc0a7e9e6e78e1

SHA512
d5139830d367a29e76ca260d9b17955cff80f1779c157551642f7e13d9abd265335ba0bbda433e8898042d482f29d79c48683fede4b8af746b69a7dfcd02098c

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\MahApps.Metro.dll

Filesize
1020KB

MD5
63a79e31b7bc52bb9aec3a747cbb63fe

SHA1
dc62080001c75242dee8686b6d8078efcb37e2a7

SHA256
fb5fae42fcc19f3fe3ed2d9b1fdf0594a4c442148b58ac4d2a9dafdda847e673

SHA512
3af468554238df0807e25446fe028e9de381d3b0086edd8d9ff1aab52bb8986a9dddb5618d2a4f6d1aa6011187bcda4cd1858bf72d4a8bdf253c350bd0292b32

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Mono.Cecil.dll

Filesize
263KB

MD5
cc0bc97cb18ac4e7c6f4decf0218a127

SHA1
8901c4a54995aed5e786dda0928905bcb98242e2

SHA256
ea592e7ba43cb057966778b0027c0d6e7ce9672741b5d3c8c927d48918366183

SHA512
e5865188de26c7e8d71c000224626d7dd0b26a5542acc9bf8f7974f5cb595386fd25e6e425ecaf57550e12600c6f37670a19a3a361381c10b97f9a26d1cfd856

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\NLog.dll

Filesize
585KB

MD5
a10a1a2ae1c77e9c7b3fbf7df9179998

SHA1
2e46f3ad8277105e5d4b71a363506bc16ae35be1

SHA256
6e7016fd4ccf28a1549958dfe226e48b236c28c9b240c983e38bac0eb6b08989

SHA512
f3b2b07a3942eb63e9ca89dc7022f6ff2dba3c9898c59501f00fe4b1c3a253226337a4d1f2719eb093ae3bd625a95998728818560067a7f30c4f767e1ed186a6

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Newtonsoft.Json.dll

Filesize
514KB

MD5
c53737821b861d454d5248034c3c097c

SHA1
6b0da75617a2269493dc1a685d7a0b07f2e48c75

SHA256
575e30f98e4ea42c9e516edc8bbb29ad8b50b173a3e6b36b5ba39e133cce9406

SHA512
289543f5eea472e9027030e24011bea1e49e91059241fe6eb732e78f51822313e47d1e4769fa1c9c7d6139f6a97dcfef2946836b3383e8643988bf8908162fb9

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Ookii.Dialogs.Wpf.dll

Filesize
105KB

MD5
5926472580c7a7b45cd611dc0fb06244

SHA1
a3b33bc8c9963f727bc2a2714ec6de0c607bca40

SHA256
04b8cb55ff481a4f4f9a60bc3c5e06ed78c12a8677c211621edcf9d8467bd823

SHA512
be05b4695896b4a2ad2ca63836c9d05084b8aa1b71929e1b081fd47b851282438bdf8c7bc65466ce7f3fe30335e743c0bd12aa52670b12d6eaec8b3bfd193056

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.Administration.Core.dll

Filesize
192KB

MD5
ad3c240eb1f76b5857330238e079b818

SHA1
dfa5511b157b2cc6f13c0af3acfa9d2f76196b6e

SHA256
949c1a060e7995c08c6321911492cb8173611adf283103768b0eb3f786c9594f

SHA512
37ccda9670ae15aadf29983aa99e552823029aff877295f589f69a9a356e4b5c68b79cf37b04244b3e958088014f6ac8c111d729cb45ac01825e11919ba5dadf

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.Administration.FileExplorer.dll

Filesize
108KB

MD5
64d39f6ae623e811adfc568e2c4339f2

SHA1
8edda4a68c7e58e3eade8a2cfcce612b97ef386e

SHA256
073962b2c49be6fd7c844db723e6b8bf3ad950955acc0cd2b8f28a004597cf67

SHA512
3ca5e87563873feea3523736a49c16a9099a157c9adcb13e10d69d797e18ab4221f1cdf9eb89c5ced8e32689d76d19a91c90bd5ca9f5fce64adaf2992e1222ce

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.Administration.Plugins.dll

Filesize
37KB

MD5
c0a1d945b4edd07bfd16c7fa8c702425

SHA1
1fea222fe9234ed61753dfc0dd2ee9f85d0ed568

SHA256
8ffe6de509f29c52b2a62fae165dc91d015073eec33f2c8a90f36d08e0b8581f

SHA512
f145c243563a1bd9b18e3ba88bffe17ac4e8206180dab7392be417932753ab0ad26cfd1a8937f563dc89f2d60badf400b317ce794d547ff4951824bc2f8504b7

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.Administration.Resources.dll

Filesize
14.0MB

MD5
4c1637c66736593fc3df725e8808dcc2

SHA1
cea163b2ca6a6aa463b47ea84b4832af2674e2c4

SHA256
15b9fbbd653192da82fdd6b3dabdd2dc04a5a88c7fac7fe51aff98e1b544bdfc

SHA512
95cd2ce95be7aac7a4a4162a60d1fccbabf215eaa74f578c24aad5f0eacba9e37042938e5b39066666df5254d36ca97fce02429952a99e58ec25e67249a2d84f

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.Administration.ViewModels.dll

Filesize
529KB

MD5
2bc1236c108c3c8ec1eea5b7d98918d5

SHA1
603aec7bd32c07b131100a888a4dcb7e925463d5

SHA256
ea223476d216cb4069e0a09198630d41af6e71427ae1f219c1216e3e3decc3f8

SHA512
5707299d7db96e23894bf18b9ba6445318f7409b211cf8950c8343036ccdbe33491819446bed1f0ef75884a42af2eaa60951781bc6508049f9fc807fce68eb78

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.Plugins.dll

Filesize
44KB

MD5
b1514fb82d332691bec05d5eb215621c

SHA1
dceff86769ecde35030027c56a83275a0049890f

SHA256
7aadc3b3cdf8ad6e8e6032ba2701d67703a8b530032d985215b146249c7ec9f0

SHA512
1907f6a763faa094b817d2c77835f9f87ece3cf1e1a1c5107ba995a66e6a03d2b948fb737e33ba329e876962447cc3bb245a29f76ade4d7fe3a3259f902e05f6

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.Shared.Utilities.dll

Filesize
61KB

MD5
b35c2b279b4fb6e97937f09b98a529fe

SHA1
26d1aefb8bab976d72c855051023530212833a79

SHA256
393583b6dbb47e8de1c559b689aaf74308ca63a7cf0aa9fa56ebb4eaf6eafc2c

SHA512
3068d8959296f597364d7b7832a22a4f1a293978a210028537b0dc0373758b72ad57f01506f61014025dca708e6443e6093c6ce4d2f763cfe849d65e110c5d9a

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.Shared.dll

Filesize
356KB

MD5
ff50d43370efe0bbb001155843dbcb32

SHA1
67a03d93fbc4f75c1a6eefde5e61f5f4ab71fbbc

SHA256
496782100ff55259457a6bcd20b25b8a2b925e9830d9cc05be40114a30c1a1b1

SHA512
cb884026510f1c46d1b97f175aaeb5b6e1f9b525bdd4c4bc70fd32c139cb01d6797a10fe5ce6ccbda43d3409bb9b3486c629b24892400a487c82c2f98eafcc6b

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Orcus.StaticCommands.dll

Filesize
83KB

MD5
e6f165cb62b40d4cd53ccafedd0f253c

SHA1
ef9d13b5cec4bcbc11404fec5a5d1d5173d140c8

SHA256
c007c2a4aadc728be29aae5000e2389d0bdc40615d394d32a3dcf97c4e1a738a

SHA512
92f74c8cb147496dbaaf6069ec55f2056cf9153b04a82cbbdd3e0ec295fb8235157aae3ad31e6d913110acb4f785b947feec3ae07bf96d894c81c9fd3a7406bc

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Sorzus.Wpf.Toolkit.dll

Filesize
55KB

MD5
24e84c8a2d39b66e80966f3a860581ff

SHA1
85c4d1d0fb9159dea4a1f4b824481b849a1f596f

SHA256
34e1daea8b1b338654c8dc347d97f435708b605c58808791509c69354eef60d9

SHA512
600e1132f03627633d1460da6f4c02b56fff30704ed6b7f1947e214e591ef42b0e7be828a0dfcce97fbb7665780b061d208b23bbb9f23be7adf025dfd92d6455

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\System.Windows.Interactivity.dll

Filesize
54KB

MD5
580244bc805220253a87196913eb3e5e

SHA1
ce6c4c18cf638f980905b9cb6710ee1fa73bb397

SHA256
93fbc59e4880afc9f136c3ac0976ada7f3faa7cacedce5c824b337cbca9d2ebf

SHA512
2666b594f13ce9df2352d10a3d8836bf447eaf6a08da528b027436bb4affaad9cd5466b4337a3eaf7b41d3021016b53c5448c7a52c037708cae9501db89a73f0

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Vestris.ResourceLib.dll

Filesize
76KB

MD5
01e1e34a2e2622a72a261c41bc017787

SHA1
90de25656fb0119fe8bab5a0e316e72361d93a17

SHA256
e421fa5b5143b08ee6f773deb6b0d7b8f2f9e701fe3d5a698541d34f0757fc46

SHA512
8818707744bf8e6a9c726b9f48d1f0af5f6db77eceafa752c8bbe8702210a88c36353f97cd144eb89541af7a99071b8317e621b2cb7d36bd91748cfbd81b8720

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\Xceed.Wpf.Toolkit.dll

Filesize
1.0MB

MD5
0d47f99ada12dad4894c4298b9348e88

SHA1
560c287fc505eb6e878555b825ed957b5a20315f

SHA256
a2bde70c456b8957bd0db23793938e99d55e8ae6d6d1b9cccd3dc14998074386

SHA512
a79cba5ba5222853db94d4815df96ef371f7666c77feb9f3fe0dfad25ed7d5a803f3f63f20e38dd618e292f5a66ad190ac532b22459afad72bf36a82c478ffd0

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\nUpdate.dll

Filesize
2.6MB

MD5
253ba7f0427e3f8e032b97496a019a24

SHA1
62793783943b04d8836746bb452145722cf63001

SHA256
814eb85113211fa90efe952f35d06e537f01bf38febca48e2c0cef02ebdb1877

SHA512
29f848f4293454a0103197cd3bb59e364df099b7a26f926673b30132ffe3d15b505fbfc3e0391482d9cd9ed53efd0f3193d0cdf83e0fb59ce3e27de878b83585

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\libraries\starksoft.aspen.dll

Filesize
48KB

MD5
c2a974c1e5972d8772207ef8f9c5e39c

SHA1
11e2bcc91e20b982e7967c164053f57a2840fcb6

SHA256
0c52d8a203ba92de6f937a7d458c24854951761ccbbc8d3961bc2b7923239c7c

SHA512
b3250abaf92a2cd81b4eb0e2a0672532165547de90f389c52df61d4f518b8f58569b3d2e0c891dd6f04a6d96f078ba89ddf397d4f486982741bcfcdf4b19fb80

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\plugins\BSoDProtection.orcplg

Filesize
14KB

MD5
2b50b7cfb56070b0a42ecb1db169ff34

SHA1
b163844f1fad98c105dc2b1a146cd0a7f6518a31

SHA256
f2621960fb168e5405ec7c95799d03de871a587b43f4f53380b71de4286741ef

SHA512
1ff7fa67cbd72d3f72251a8472c5e3d0b8589310ebb81fcd021aaa9d7832f3d88e5e0b3cbe0e1208fd7d624de15aefdc2816395870ef515d22176a1f6ad55abe

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\plugins\DisableWebcamLights.orcplg

Filesize
21KB

MD5
5f32cd5a2c08ec5504de906c6f598281

SHA1
7adafa9de45c29b0e58c7df98f1c756ebf05dcb2

SHA256
f54ef6da320b5f66f3562e44a36bf0cea3848d452ebe2b53f7f5dbb28cd2b61b

SHA512
f3f9affc5157a1ac09eea0f2075184d5649dcd8e49c888ead27e633faf543e30d4085997c0af0942398f64b3ef2a62a8a37028efcfa30b77f491e2d34fe34b72

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\plugins\SilentElevation.orcplg

Filesize
25KB

MD5
59599dec85fd0bbecd1e75a5799248d4

SHA1
b36794f2fd93210b358b26297484976340bd3709

SHA256
2818530d97f20bf79f84907ae063293596ed9ea837716edeafb12368c16d35c9

SHA512
fd33c9c3b739d7560e1a7ceceab4a7f88f83d8d6fc938d907eeafd9aa147a8494d9f392d97a42097e961a2e70c5967d80080af4b22feb81cca964d7cb9267a9d

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\settings (1).json

Filesize
1KB

MD5
6c7d28bf34effa5a5ca256273bb2a7d8

SHA1
5f63c1166809e49ed5291efbe8208d87e12a8a21

SHA256
f7479ae10e80a3001f41979b4d804513b4e71e5e5ff1ca3e20d0e219e912eed7

SHA512
c7bafd3c1d1f165b72c719144e7c30ce3c22b03128b33608f4cdc7a5c09272cf3d1debe079aefa1a8f6041ca39cddc814c62c6a56ed65ce2a4e29fa454274bc4

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\orсus\orсus 9191\wireguard.exe

Filesize
924KB

MD5
3e27c548e420aa104e72eb7a419b42e1

SHA1
6c9e7ac9db6f0101cf1c9e862bc94d0aded6cac9

SHA256
1fb2debf77c1d37e462731f8bc3dbc3da0c41cac669222c7991d790e52e12ffb

SHA512
75d7301a7264c6a2ab75de25788bf9187b80c494fd75cc9c0cdde3ad0eca489d7758d9d7f2de4f4d9070ff9141fce20459de016cacc2c1774bb168e2320f3589

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\NLog.config

Filesize
1KB

MD5
073d7a3051dacab30b6eb6468756af8a

SHA1
617df706266203f71ff1d1eb8758cd08e20785a4

SHA256
89ef6ade268f50f86b543db939df5df2dbfd72503e8e3dc74f0866c6549c82d5

SHA512
a653ac8d107e54327f8bd9525a946c9b1a0a7d54436982cdbd3595fe17f514dc1de9354468df7207f5587f0908ee6cf7d57285b7a3ca6af119765c88da13fddd

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\Orcus.Server.exe

Filesize
3.2MB

MD5
700a14ba55fb47f9b8a99ffa92267125

SHA1
43ef6ab246ba72d39cd1a72dd83fee68aceba493

SHA256
594f18a0b5b83c1c64c75830f8e9b2bd4d4629c9c5b9c70b3aa5f0f17b22789a

SHA512
c4ab308a65f267edee887085d358df1ddf83e55fa8f3507209cebc5b44e755f17d583956d170e57e6644d70505a175d58a17f1cdaab13ba7431c4185594804b4

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\block-list.txt

Filesize
185B

MD5
dc7ab9888897071c7fac87bb3438e28b

SHA1
e56cc0cca03ef4739a67fd2f267d8e04c1219557

SHA256
68816e76b153c5fd1d9fc06d6db72772fbd13232e1481bcf74493474b6e000f7

SHA512
14246bd30413a1245f1e9293749424aa0d35e7753b1555ff85a5437b5370704f8619d6ec5f35df711359454534d72b141560061cc4d8e8c69f4ca4d989391283

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\certificate.pfx

Filesize
1KB

MD5
d82d84a10f16168b52db89976c6c8fb3

SHA1
b3f4d3c16e076317d172b71710cb5672e63fd0d5

SHA256
d64678cce7aa21ec5a91074b84c3d2cfcc17fb8a388db0f14e1c3305bbb70102

SHA512
cd922d8e3f4a3e6ed2ef140f173b41f2f830e5bc6d49de2e933f8e15d4dd4a62ce5585dc31df72e104e415443b2344ac0a7f956ead2030efa6b76feb49b51c85

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\config.ini

Filesize
556B

MD5
6485925560e24d36b00b768866f29661

SHA1
a53cfb606021dc3f94341d35e4460e7590c154fc

SHA256
56dd10d4b77ad6335a513a9c675c1cf61d83ad1e78c0870a30867347a33fb239

SHA512
896bec18a17184b5b039affa3538ad1b187684dfc6d81533d7c2629c43a13f5dba038c0a761ec792a294f2c3b5c8af0473040bc84530c13f0f0bd8a134586b3c

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\database.sqlite

Filesize
976KB

MD5
63d1a95aa913fb58e0c20a99f195b732

SHA1
1ddfe8d07e3a5d5caf1bc739c26f444b758f237d

SHA256
a8088afbf9d57525c323b65fe6100a865e2d02627ed0540b7c304e4d1d74ae42

SHA512
07bc951db84164c7c56d6e4eaa702798b24840587ddd69fb676819693e9d5168e6423ca15f45c63791c3baba88b23201ea0e5dcce380333f035e7a2bff5ad6e4

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\log.txt

Filesize
10KB

MD5
410b52d268c1077b9a5c159f497a8543

SHA1
68dc5d72f2b499997b3ce16fc48e08107a520642

SHA256
85f64d98d60948cb114b5827500b6642a9ec9c8e63eaa0824d62474571c5f410

SHA512
1e33d2b232b0418d754212e4094c9eddad7662794c9c161ac9a0933007127fae8751e4f1ba5f0da556ffed5c1e693b48c1dda833e36e8455dc6dab296c5f20ec

Download Submit
C:\Users\Admin\Downloads\OrcusRAT\OrcusRAT\server\settings.json

Filesize
520B

MD5
6e3405dad09f81e1b97f1c54dc6c5ca3

SHA1
dcc99f833d3226fd28a9f7398f1cc16164661a4c

SHA256
cb018a236b434e715253fad3e3ad2a663794050fe4d8f4ec4fb4c8345a0b9b6b

SHA512
cbffeedde373cc29649a669fe7b23022271a76dc683319a4086eca0de83cf8555bda1fac6c83a91c91fc18c58b97b7a04efcaca522c8444431b41deefaa1bafc

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
memory/2252-2101-0x000000001A930000-0x000000001AA3A000-memory.dmp

Filesize
1.0MB

Download
memory/2828-1707-0x0000000006190000-0x0000000006339000-memory.dmp

Filesize
1.7MB

Download
memory/3336-2084-0x0000000009590000-0x00000000095B2000-memory.dmp

Filesize
136KB

Download
memory/3336-2075-0x0000000005510000-0x000000000551E000-memory.dmp

Filesize
56KB

Download
memory/3336-2074-0x0000000000C10000-0x0000000000CFE000-memory.dmp

Filesize
952KB

Download
memory/3336-2079-0x0000000006520000-0x000000000662A000-memory.dmp

Filesize
1.0MB

Download
memory/3336-2076-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/3336-2078-0x0000000006360000-0x000000000639C000-memory.dmp

Filesize
240KB

Download
memory/3336-2077-0x0000000006300000-0x0000000006312000-memory.dmp

Filesize
72KB

Download
memory/4224-2115-0x0000000006A30000-0x0000000006A7E000-memory.dmp

Filesize
312KB

Download
memory/4224-2118-0x0000000006E10000-0x0000000006E20000-memory.dmp

Filesize
64KB

Download
memory/4224-2117-0x0000000006C40000-0x0000000006C58000-memory.dmp

Filesize
96KB

Download
memory/4224-2116-0x00000000063F0000-0x0000000006408000-memory.dmp

Filesize
96KB

Download
memory/4248-2130-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/5060-2097-0x0000000002D60000-0x0000000002D9C000-memory.dmp

Filesize
240KB

Download
memory/5060-2096-0x0000000001450000-0x0000000001462000-memory.dmp

Filesize
72KB

Download
memory/5060-2095-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/5468-1421-0x0000000007BC0000-0x0000000007C0C000-memory.dmp

Filesize
304KB

Download
memory/5468-1439-0x00000000051D0000-0x00000000051DC000-memory.dmp

Filesize
48KB

Download
memory/5468-1402-0x0000000000B90000-0x0000000000EC8000-memory.dmp

Filesize
3.2MB

Download
memory/5468-1408-0x0000000005750000-0x000000000578E000-memory.dmp

Filesize
248KB

Download
memory/5468-1409-0x0000000005C40000-0x0000000005CD8000-memory.dmp

Filesize
608KB

Download
memory/5468-1410-0x0000000006290000-0x0000000006834000-memory.dmp

Filesize
5.6MB

Download
memory/5468-1411-0x0000000005E70000-0x0000000006106000-memory.dmp

Filesize
2.6MB

Download
memory/5468-1413-0x0000000006E60000-0x0000000007478000-memory.dmp

Filesize
6.1MB

Download
memory/5468-1414-0x00000000068B0000-0x0000000006C04000-memory.dmp

Filesize
3.3MB

Download
memory/5468-1415-0x0000000007560000-0x00000000075F2000-memory.dmp

Filesize
584KB

Download
memory/5468-1416-0x00000000074D0000-0x000000000752C000-memory.dmp

Filesize
368KB

Download
memory/5468-1417-0x0000000007CD0000-0x0000000007E92000-memory.dmp

Filesize
1.8MB

Download
memory/5468-1419-0x00000000083D0000-0x00000000088FC000-memory.dmp

Filesize
5.2MB

Download
memory/5468-1420-0x0000000007B90000-0x0000000007BC0000-memory.dmp

Filesize
192KB

Download
memory/5468-1423-0x0000000007C80000-0x0000000007CBC000-memory.dmp

Filesize
240KB

Download
memory/5468-1424-0x0000000007C50000-0x0000000007C71000-memory.dmp

Filesize
132KB

Download
memory/5468-1436-0x0000000009D30000-0x0000000009D3A000-memory.dmp

Filesize
40KB

Download
memory/5468-1437-0x00000000051B0000-0x00000000051CE000-memory.dmp

Filesize
120KB

Download
memory/5468-1438-0x000000000CD50000-0x000000000CDCC000-memory.dmp

Filesize
496KB

Download
memory/5468-1612-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5468-1613-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5468-1620-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5468-1440-0x0000000005210000-0x000000000521A000-memory.dmp

Filesize
40KB

Download
memory/5468-1442-0x000000000A7E0000-0x000000000A802000-memory.dmp

Filesize
136KB

Download
memory/5468-1628-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5468-1443-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/6136-1477-0x0000000005D30000-0x0000000005E5C000-memory.dmp

Filesize
1.2MB

Download
memory/6136-1485-0x0000000005E60000-0x0000000005F68000-memory.dmp

Filesize
1.0MB

Download
memory/6136-1663-0x0000000001050000-0x0000000001070000-memory.dmp

Filesize
128KB

Download
memory/6136-1682-0x000000000F720000-0x000000000F768000-memory.dmp

Filesize
288KB

Download
memory/6136-1492-0x0000000005800000-0x000000000581C000-memory.dmp

Filesize
112KB

Download
memory/6136-1496-0x0000000005C40000-0x0000000005C74000-memory.dmp

Filesize
208KB

Download
memory/6136-1686-0x0000000014900000-0x000000001570E000-memory.dmp

Filesize
14.1MB

Download
memory/6136-1500-0x0000000005F70000-0x0000000005FF8000-memory.dmp

Filesize
544KB

Download
memory/6136-1541-0x0000000006ED0000-0x0000000006ED8000-memory.dmp

Filesize
32KB

Download
memory/6136-1536-0x00000000069D0000-0x00000000069DA000-memory.dmp

Filesize
40KB

Download
memory/6136-1538-0x0000000006EC0000-0x0000000006ECC000-memory.dmp

Filesize
48KB

Download
memory/6136-1696-0x0000000000FE0000-0x0000000000FFA000-memory.dmp

Filesize
104KB

Download
memory/6136-1529-0x00000000069E0000-0x0000000006A78000-memory.dmp

Filesize
608KB

Download
memory/6136-1533-0x0000000006960000-0x0000000006968000-memory.dmp

Filesize
32KB

Download
memory/6136-1532-0x0000000006970000-0x0000000006982000-memory.dmp

Filesize
72KB

Download
memory/6136-1512-0x0000000005D10000-0x0000000005D1E000-memory.dmp

Filesize
56KB

Download
memory/6136-1520-0x0000000006250000-0x00000000062D6000-memory.dmp

Filesize
536KB

Download
memory/6136-1516-0x0000000006160000-0x00000000061BC000-memory.dmp

Filesize
368KB

Download
memory/6136-1508-0x0000000005CE0000-0x0000000005CF2000-memory.dmp

Filesize
72KB

Download
memory/6136-1504-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/6136-1491-0x00000000057E0000-0x00000000057F4000-memory.dmp

Filesize
80KB

Download
memory/6136-1481-0x0000000005790000-0x00000000057B2000-memory.dmp

Filesize
136KB

Download
memory/6136-1473-0x0000000005AF0000-0x0000000005BF6000-memory.dmp

Filesize
1.0MB

Download
memory/6136-1463-0x00000000051F0000-0x00000000052AA000-memory.dmp

Filesize
744KB

Download
memory/6136-1467-0x0000000005850000-0x0000000005AE6000-memory.dmp

Filesize
2.6MB

Download
memory/6136-1458-0x0000000000570000-0x000000000096A000-memory.dmp

Filesize
4.0MB

Download
memory/6136-1544-0x0000000007020000-0x0000000007362000-memory.dmp

Filesize
3.3MB

Download
memory/6136-1627-0x0000000007D30000-0x0000000007D46000-memory.dmp

Filesize
88KB

Download
memory/6136-1546-0x0000000007360000-0x0000000007368000-memory.dmp

Filesize
32KB

Download
memory/6136-1558-0x0000000008AD0000-0x0000000008AD8000-memory.dmp

Filesize
32KB

Download
memory/6136-1550-0x0000000007500000-0x000000000750A000-memory.dmp

Filesize
40KB

Download
memory/6136-1552-0x0000000007710000-0x0000000007722000-memory.dmp

Filesize
72KB

Download
memory/6136-1592-0x0000000006F20000-0x0000000006F32000-memory.dmp

Filesize
72KB

Download
memory/6136-1554-0x0000000007730000-0x0000000007738000-memory.dmp

Filesize
32KB

Download
memory/6136-1588-0x0000000007010000-0x0000000007020000-memory.dmp

Filesize
64KB

Download
memory/6136-1581-0x0000000007D60000-0x0000000007D86000-memory.dmp

Filesize
152KB

Download
memory/6136-1580-0x0000000007D00000-0x0000000007D08000-memory.dmp

Filesize
32KB

Download
memory/6136-1579-0x0000000007940000-0x000000000794C000-memory.dmp

Filesize
48KB

Download
memory/6136-1574-0x000000000DF50000-0x000000000DF5E000-memory.dmp

Filesize
56KB

Download
memory/6136-1573-0x000000000DF90000-0x000000000DFC8000-memory.dmp

Filesize
224KB

Download
memory/6136-1572-0x000000000BE20000-0x000000000BE28000-memory.dmp

Filesize
32KB

Download
memory/6136-1571-0x0000000004C60000-0x0000000004C68000-memory.dmp

Filesize
32KB

Download
memory/6136-1570-0x0000000004C10000-0x0000000004C18000-memory.dmp

Filesize
32KB

Download
memory/6136-1556-0x00000000088E0000-0x0000000008A5A000-memory.dmp

Filesize
1.5MB

Download
memory/6136-1569-0x0000000008D00000-0x0000000008D18000-memory.dmp

Filesize
96KB

Download
memory/6136-2135-0x000000000E190000-0x000000000E216000-memory.dmp

Filesize
536KB

Download
memory/6136-2165-0x0000000008F60000-0x0000000008F92000-memory.dmp

Filesize
200KB

Download
memory/6136-2167-0x0000000010060000-0x000000001013A000-memory.dmp

Filesize
872KB

Download
memory/6136-1565-0x0000000008C70000-0x0000000008CD6000-memory.dmp

Filesize
408KB

Download
memory/6136-1564-0x0000000008B10000-0x0000000008B20000-memory.dmp

Filesize
64KB

Download