orcus | 7753de049d1607a1a5f9686b1d41a6093c7f163742edd9d71e47e76523a3d2f8

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcus RAT 1.9.1.zip
Size

22.7MB
MD5

16d89509da82189fed1a8a2649d2a168
SHA1

fd8d57cae1952adf0e70d40e57802fb70b9aac3c
SHA256

7753de049d1607a1a5f9686b1d41a6093c7f163742edd9d71e47e76523a3d2f8
SHA512

ec9c7485123183731385bcfc0a247d400588d310a6ec981123fa2e883073ef7b8f1d5f835e31a995b1c010ebea4a6e882038f8e341d6bbc9676952c0dd96d03c
SSDEEP

393216:7zO42vwWQW21/wnn//z8AzU6JvPSBQVEjRoG55998AEuFfIReyDAEjR4:vz2gbgX7/jq1oG5L98AvnM14

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024269-206.dat	orcus
behavioral1/memory/1488-209-0x000000000BD90000-0x000000000CAC0000-memory.dmp	orcus

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Orcus.Administration.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Orcus.Administration.exe

Executes dropped EXE 6 IoCs

pid	Process
1488	Orcus.Administration.exe
3464	Orcus.Administration.exe
2952	Orcus.Server.exe
4108	Orcus.Server.CommandLine.exe
1936	Orcus.Administration.exe
4972	Orcus.Administration.exe

Loads dropped DLL 64 IoCs

pid	Process
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
1488	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe
3464	Orcus.Administration.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5752	2952	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Server.CommandLine.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3932	7zG.exe
Token: 35	3932	7zG.exe
Token: SeSecurityPrivilege	3932	7zG.exe
Token: SeSecurityPrivilege	3932	7zG.exe
Token: SeDebugPrivilege	1488	Orcus.Administration.exe
Token: SeDebugPrivilege	3464	Orcus.Administration.exe
Token: SeDebugPrivilege	1936	Orcus.Administration.exe
Token: SeDebugPrivilege	4972	Orcus.Administration.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3932	7zG.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3464	1488	Orcus.Administration.exe	111
PID 1488 wrote to memory of 3464	1488	Orcus.Administration.exe	111
PID 1488 wrote to memory of 3464	1488	Orcus.Administration.exe	111
PID 1936 wrote to memory of 4972	1936	Orcus.Administration.exe	121
PID 1936 wrote to memory of 4972	1936	Orcus.Administration.exe	121
PID 1936 wrote to memory of 4972	1936	Orcus.Administration.exe	121

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Orcus RAT 1.9.1.zip"
1⤵
PID:540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Orcus RAT 1.9.1\" -spe -an -ai#7zMap9571:110:7zEvent11846
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3932

C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe
"C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe
  "C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3464

C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Server\Orcus.Server.exe
"C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Server\Orcus.Server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 940
  2⤵
  - Program crash
  PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2952 -ip 2952
1⤵
PID:5080

C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Server.CommandLine\Orcus.Server.CommandLine.exe
"C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Server.CommandLine\Orcus.Server.CommandLine.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4108

C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe
"C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe
  "C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\4BB5CDD9CEB6B101EC8447492D6A7841\32\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe

Filesize
3.9MB

MD5
37349777df1cc9c8d3d62eb733f7cd45

SHA1
456233fa947ab155dbe5636eda0a77346197bb4c

SHA256
0121f2d7ddc074ffa05619dbb2a4b555a4b550168a765b57fa8bd9298a7e4b52

SHA512
ca4e1a39dbb0fa0c6bbef7142cf457856cc2db14c03b5b9ea5c28811a3a70cc05505320f50e133e166aad25d779ac043b0f29b09bb34a342f5111603cc5dd074

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\Orcus.Administration.exe.config

Filesize
1KB

MD5
4cb71dfe2b8d53eda709ba19c03f5b81

SHA1
b116144704ef60e5c54e02973be4133108d5e513

SHA256
68695bcf02c26a74171ec14cc02d02ee545b5b55e24ff20b7f8068cf3d8cf37b

SHA512
57e596051ab0daf22f4d9b63091223456bb6c82d66a2774401f9dccbf02983752e7afef150b6ff3f18ebde68ed2bb5d04ee3326bbfc28f74b0f43daf0733661b

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\ControlzEx.dll

Filesize
176KB

MD5
952ae691d9f17599a521b2d04aceeb46

SHA1
55e0fa225c6fac6f25b28fd67ef844283d96c9c0

SHA256
241cb77017dc48e7cfac4bfbd005abb66432b9f4bf8cfd4f819b628d90f97fe0

SHA512
53246224c9fd54ba6bd61f204aaa166b1431a4bde53b5b6ef48ccd7fc90ac3a9ddf5f5ad74deb730dcb315d03794ed416a5448550ceda175662a49ea0b5c3d02

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Exceptionless.Signed.dll

Filesize
734KB

MD5
4787a519cfd30d7a7687ee62de7d8a47

SHA1
9f9213692517aaa331ab0622e24b9458f483e95e

SHA256
57b7be985c0b4630b8ca581e978e88671ae5912d06807891edd1d10e552d3765

SHA512
c74f7f4396082ab6f245ac7fcc61161cbc5582464bc78b3cf42deb08f9e44304568f462753b5c25122bcac4f58e766594426f7ff044d14c7b17f24825d3109d0

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\FluentCommandLineParser.dll

Filesize
43KB

MD5
d0220eb32a8a631ca29f55929c7046cb

SHA1
553ec4ecc90676c7bb1de9f75a6b1226f39677aa

SHA256
e6124423367a9ec411176e2714c16a041c1a8b3e1691845040b57b0d779bef14

SHA512
63c2d7ac019d511751c57153bde64c5c57819a74ffbd1a893ea980211185296f018bc09980537394bb33e92508b4e14d87da8a6fba2ca87b820b9276d07a3445

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\MahApps.Metro.IconPacks.Material.dll

Filesize
1.1MB

MD5
d8e627aadfb6dfed292be0672faa9f15

SHA1
2a7f51711bffd75ecb2d7ff2f510c89eecd16366

SHA256
97f4ca8c89ee13b8c249ca6f929d067ba3e87be07b4afa372fdc0a7e9e6e78e1

SHA512
d5139830d367a29e76ca260d9b17955cff80f1779c157551642f7e13d9abd265335ba0bbda433e8898042d482f29d79c48683fede4b8af746b69a7dfcd02098c

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\MahApps.Metro.dll

Filesize
1.0MB

MD5
735bea953b819dc0874176355e3e3141

SHA1
8ff71613230d454ec27d7b7ee6795289751a5277

SHA256
1af18a7eae467706f699dea9fcade9635ea2e331737501b72910413dfb12f17c

SHA512
2963d60fd6c182fa01b62ada3894987ba34f317b5c0cb92905a92930d68a6eeca5f4511d3d36a4ed4a0c3e3851f3ca16683ce9e8d98567f8cc206b973fee5148

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Orcus.Administration.Core.dll

Filesize
178KB

MD5
e6e085079b60c17970e27c29b42b385f

SHA1
b8ced79a01cb8923d6661783a6b450233067ef31

SHA256
a07d8389c94715e50afd2c8f3fdbb85cea8bde59287fe45229a5de9466e9f213

SHA512
815fdfe51da719b8368b866dd7b3079af7aa5b5ae35ca7c1ed9bf46ef4400ad4a740c8378c50a1b9a3919af3fe3fb3b549cd7f01a4f446d8057e9c87dbceed26

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Orcus.Administration.FileExplorer.dll

Filesize
108KB

MD5
728e35ef717c82d62737b0ca48b71473

SHA1
d023d823dbdd94fd1c7eebd47917d5568a289703

SHA256
6662e522614e1dc0ab28821c46f1089d77ef89d7ad3344e5b17ff26abd02b39b

SHA512
cf2cfb0e9a77b9dd2b97834e5b0d9767488700c21c57e00a4de4f56f86d70ad98a9343387281257ddefb32b77ab74df3dbff0ca74bb0c5bd51f6a082363c6112

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Orcus.Administration.Plugins.dll

Filesize
36KB

MD5
7334117321d06d64d34e8fa394ece199

SHA1
9c5825c517977a206469798e63988859841b9de8

SHA256
586b641ac8370d6d4214a25978e83e75d7609f1b671423f02afbe9f03e31d789

SHA512
3591dd9009209525c19163bf57da575cd5b66c90c30e8606153419d5673940aab9dff13a651bc39114b4acda07fadb85d9c0ae7b36ed434b92d460572cc75626

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Orcus.Administration.Resources.dll

Filesize
13.2MB

MD5
0e657f87405ed64fc36f23a8a21dbf62

SHA1
87a4caf93401da28544e5e8a0abd880210b110b4

SHA256
ad0882f9825e4e1e8ea4f5172fdfc20379243bc153cd5a85a44b2c7d64a7d5fd

SHA512
9c841df1fb472717c598588f961485b69b6c32bd0f9705d4feeb80c44de0cf80ad97838e08a81fb53a1135ef30b3ec83c288b5b498e4148273255c0a8878e9b3

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Orcus.Administration.ViewModels.dll

Filesize
514KB

MD5
b7bd85b0122ba17962b460a2fafc0811

SHA1
74e7222586cd0cf56d011d263462f35699400c88

SHA256
66639aff978b4cede656fc4c2e0b28a71df0f41a5d5f48e472da558752eab4e7

SHA512
9335856828c2dfd329d238d4f9f0e9b2aa2d2192b808a4060c4f7a56a6f1c7e28c73cb0cc568cd77375c3af440b24d1c707985e4dea3f78ec97f68bf9531725e

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Orcus.Plugins.dll

Filesize
31KB

MD5
4080ce5546902a34b8ad7e2560138d8e

SHA1
0df01a32bcf03e50d6f2f38d713fd291aaf13cc3

SHA256
e2b10312165eb89bb9221f10908a7715eb0e12829d8f7991510b7373848489cd

SHA512
1ca529f628cee64bb2aa7fe1ef073ea6c09b8401ee27847a729dde8d744b28561fbc3e7dfeb6b2cbf6bb4b969f372c84eee70440ddd7ed7c2d51da96030ae8f0

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Orcus.Shared.Utilities.dll

Filesize
48KB

MD5
cfc5f2a2c3e42f165206fdef112a1248

SHA1
7384146567495aa9f0b833dfe5f99c31e01ce673

SHA256
5453f3d2e18d8a8d9890c61bf2637d1c6ee220df5cc3b4a94706ccb3c984e2c1

SHA512
b66771eff18bb6882bb2d43ce651ada8d2c554e46a49333acaf1e48d6d986e5a42bc707ca76cc2bbc94c8be7b16ffefbfa4244ddba69877175f2f0454b1555d8

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Orcus.Shared.dll

Filesize
343KB

MD5
280c3f5f4c20bc4ce8adb25a27339dcb

SHA1
1801063a265c89561caa205d28f8c52ca048f402

SHA256
467bd59c93132b339cc05974b7a9c4a8d4d5d2bcdd8df7631f98682195dd2011

SHA512
e6bc07bd9bcd40fe3d92d1844b760aac666da9a590b44b3fde34caeb91d59aa8a7e1589b6daa43178c7f72c3e9fbd19b7756b5b05feb1dd3c648f5c41d64e659

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Sorzus.Wpf.Toolkit.dll

Filesize
54KB

MD5
935ba6462b3715f47b15bcc01d06286b

SHA1
c00cbdc225b3133abfb140458b0e549d423979af

SHA256
55fe135dd15a03f74ad60cca5167a911cde4f816150ffd0ace28eb1aba647b19

SHA512
1c3f85fc7370a6ca32f4324ad437d89f4a7a9910f19c41a88d8ae0bb92499c135ddce004c3f7095112b4407715f21be56f531563b82985b1ec7d0be50ca75723

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\System.Windows.Interactivity.dll

Filesize
54KB

MD5
580244bc805220253a87196913eb3e5e

SHA1
ce6c4c18cf638f980905b9cb6710ee1fa73bb397

SHA256
93fbc59e4880afc9f136c3ac0976ada7f3faa7cacedce5c824b337cbca9d2ebf

SHA512
2666b594f13ce9df2352d10a3d8836bf447eaf6a08da528b027436bb4affaad9cd5466b4337a3eaf7b41d3021016b53c5448c7a52c037708cae9501db89a73f0

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\Xceed.Wpf.Toolkit.dll

Filesize
1.1MB

MD5
0e72aa1d1749bbce872a900f8fdfb1aa

SHA1
0a63786d3c054937be206f013b8d38e9f6d5d872

SHA256
e31c0e08a52bf55167f39680d975fe36bbb34039f6bdfa04a429445cd6864458

SHA512
afe200ef6df952c539c8e73e778d53efe6fc0fcc325470204b3f20795db3f31e85c35e261a60e29931439c2cafc4130971e2f21de1cd6206d82a5202151df5f4

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\libraries\nUpdate.dll

Filesize
2.6MB

MD5
253ba7f0427e3f8e032b97496a019a24

SHA1
62793783943b04d8836746bb452145722cf63001

SHA256
814eb85113211fa90efe952f35d06e537f01bf38febca48e2c0cef02ebdb1877

SHA512
29f848f4293454a0103197cd3bb59e364df099b7a26f926673b30132ffe3d15b505fbfc3e0391482d9cd9ed53efd0f3193d0cdf83e0fb59ce3e27de878b83585

Download Submit
C:\Users\Admin\Desktop\Orcus RAT 1.9.1\Orcus.Administration\settings.json

Filesize
924B

MD5
f52bc81b9bd5fd71892b5a9455a7acc9

SHA1
671ce63a513aef4ada032dea0056cb4879d9838b

SHA256
6078c4dd16f55d29b426d9fc002124cfd65efe54ed056a564cc9f0a68f1813ff

SHA512
69bfcff1dfb57d6f5fbafb3c01d6c27064d816c923ad4257ee879f5601a22f271d8e5a62eac8e97e90a73f0d100a784275b9ae2a104b383e3e9dd7c8c43fb0f8

Download Submit
memory/1488-163-0x0000000005DC0000-0x0000000005DD4000-memory.dmp

Filesize
80KB

Download
memory/1488-143-0x0000000005E00000-0x0000000006096000-memory.dmp

Filesize
2.6MB

Download
memory/1488-176-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/1488-180-0x00000000066E0000-0x00000000066F2000-memory.dmp

Filesize
72KB

Download
memory/1488-172-0x0000000006550000-0x00000000065D6000-memory.dmp

Filesize
536KB

Download
memory/1488-184-0x00000000062E0000-0x00000000062EE000-memory.dmp

Filesize
56KB

Download
memory/1488-164-0x0000000005DE0000-0x0000000005DFC000-memory.dmp

Filesize
112KB

Download
memory/1488-188-0x0000000006760000-0x00000000067BC000-memory.dmp

Filesize
368KB

Download
memory/1488-192-0x0000000006870000-0x0000000006920000-memory.dmp

Filesize
704KB

Download
memory/1488-159-0x0000000006420000-0x000000000654A000-memory.dmp

Filesize
1.2MB

Download
memory/1488-200-0x00000000067F0000-0x0000000006800000-memory.dmp

Filesize
64KB

Download
memory/1488-155-0x0000000005D70000-0x0000000005D92000-memory.dmp

Filesize
136KB

Download
memory/1488-196-0x0000000006810000-0x0000000006842000-memory.dmp

Filesize
200KB

Download
memory/1488-201-0x0000000006990000-0x00000000069F6000-memory.dmp

Filesize
408KB

Download
memory/1488-151-0x00000000062F0000-0x000000000641C000-memory.dmp

Filesize
1.2MB

Download
memory/1488-202-0x000000000A180000-0x000000000A188000-memory.dmp

Filesize
32KB

Download
memory/1488-203-0x000000000A050000-0x000000000A088000-memory.dmp

Filesize
224KB

Download
memory/1488-204-0x000000000A010000-0x000000000A01E000-memory.dmp

Filesize
56KB

Download
memory/1488-205-0x000000000AA00000-0x000000000AA0C000-memory.dmp

Filesize
48KB

Download
memory/1488-147-0x00000000060A0000-0x00000000061B2000-memory.dmp

Filesize
1.1MB

Download
memory/1488-209-0x000000000BD90000-0x000000000CAC0000-memory.dmp

Filesize
13.2MB

Download
memory/1488-168-0x0000000006200000-0x0000000006232000-memory.dmp

Filesize
200KB

Download
memory/1488-213-0x0000000006EE0000-0x0000000006EF2000-memory.dmp

Filesize
72KB

Download
memory/1488-214-0x000000000B8A0000-0x000000000B8C2000-memory.dmp

Filesize
136KB

Download
memory/1488-215-0x000000000CAC0000-0x000000000CE14000-memory.dmp

Filesize
3.3MB

Download
memory/1488-135-0x0000000000B60000-0x0000000000F56000-memory.dmp

Filesize
4.0MB

Download
memory/1488-139-0x0000000005780000-0x000000000583E000-memory.dmp

Filesize
760KB

Download
memory/1936-248-0x0000000006AE0000-0x0000000006E34000-memory.dmp

Filesize
3.3MB

Download
memory/2952-240-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2952-238-0x0000000005630000-0x000000000566C000-memory.dmp

Filesize
240KB

Download
memory/2952-239-0x0000000005670000-0x000000000574C000-memory.dmp

Filesize
880KB

Download
memory/2952-234-0x00000000005E0000-0x00000000008CE000-memory.dmp

Filesize
2.9MB

Download
memory/3464-230-0x0000000007540000-0x0000000007AE4000-memory.dmp

Filesize
5.6MB

Download
memory/3464-229-0x0000000006CD0000-0x0000000006DAC000-memory.dmp

Filesize
880KB

Download
memory/3464-232-0x0000000007440000-0x0000000007448000-memory.dmp

Filesize
32KB

Download
memory/3464-233-0x000000000E870000-0x000000000EE88000-memory.dmp

Filesize
6.1MB

Download
memory/3464-231-0x0000000006E00000-0x0000000006E18000-memory.dmp

Filesize
96KB

Download
memory/3464-228-0x00000000064D0000-0x0000000006824000-memory.dmp

Filesize
3.3MB

Download
memory/4108-243-0x0000000004D40000-0x0000000004D9C000-memory.dmp

Filesize
368KB

Download
memory/4108-242-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/4108-241-0x00000000000D0000-0x0000000000286000-memory.dmp

Filesize
1.7MB

Download
memory/4108-244-0x0000000004FD0000-0x0000000005324000-memory.dmp

Filesize
3.3MB

Download
memory/4108-245-0x0000000005930000-0x0000000005980000-memory.dmp

Filesize
320KB

Download