Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

xd.exe

windows10-2004-x64

10

xd.exe

windows10-ltsc 2021-x64

10

xd.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    292s
  • max time network
    302s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    28/10/2024, 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xd.exe

  • Size

    3.0MB

  • MD5

    b8006a0ea8243be30ddbc2009aa05d93

  • SHA1

    81df425e729edd90c7b7e50b995803da783557ef

  • SHA256

    6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2

  • SHA512

    4535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4

  • SSDEEP

    49152:6zTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmNMrZEu:6zTtODUKTslWp2MpbfGGilIJPypSbxE8

Score
10/10
orcusdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

orcus

C2

89.23.100.155:1337

Mutex

1ff7891fa0904651aeca5ed123954333

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 2 IoCs
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Orcurs Rat Executable 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Using powershell.exe command.

    execution
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 14 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\xd.exe
    "C:\Users\Admin\AppData\Local\Temp\xd.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2252
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5lkc5msd.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FC0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FAF.tmp"
        3⤵
          PID:4756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:936
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2280
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1200
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1140
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:440
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • UAC bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Checks processor information in registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2764
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2496
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1824
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4372
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:936
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3064
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3340
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4596
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:760
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
          3⤵
          • Command and Scripting Interpreter: PowerShell
          PID:1684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          PID:3876
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
          3⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2644
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2264
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TraceFormat.au"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1516

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hijack Execution Flow

    1
    T1574

    Executable Installer File Permissions Weakness

    1
    T1574.005

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    2
    T1552.001

    Credentials in Registry

    1
    T1552.002

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    4
    T1012

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe
      Filesize

      3.0MB

      MD5

      b8006a0ea8243be30ddbc2009aa05d93

      SHA1

      81df425e729edd90c7b7e50b995803da783557ef

      SHA256

      6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2

      SHA512

      4535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4

      Download Submit

    • C:\Program Files\Orcus\Orcus.exe.config
      Filesize

      349B

      MD5

      89817519e9e0b4e703f07e8c55247861

      SHA1

      4636de1f6c997a25c3190f73f46a3fd056238d78

      SHA256

      f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

      SHA512

      b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0f1bf4207c100442afb6f174495b7e10

      SHA1

      77ab64a201e4c57bbda4f0c3306bee76e9513b44

      SHA256

      c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d

      SHA512

      29bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      5e22dd1cda88782a1f52f76e748ef957

      SHA1

      3231826619a06fa541e2bfb21da445bd7013b5ac

      SHA256

      73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

      SHA512

      75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      235a8eb126d835efb2e253459ab8b089

      SHA1

      293fbf68e6726a5a230c3a42624c01899e35a89f

      SHA256

      5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

      SHA512

      a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\451.exe
      Filesize

      3.0MB

      MD5

      0aa6a14b26944d7f9ff50bfcc3e9e0c9

      SHA1

      de21f62e9ea5618fa793ce3593c6c57e26bdedad

      SHA256

      b92a6bfcff5ad36cb34871413e4b046bd5d4d2c573ab86b6aaade7f4e23e380a

      SHA512

      f7c202588f071cbef074b36d7cc3a0aeda7c27af02e20268ba5750803a0ba5c990ce7f50b9f9d32b047110c1ab9e5d9fb65e2f1992c3d8f92b0ea84ddd96103b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\5lkc5msd.dll
      Filesize

      76KB

      MD5

      41acbbd858c29fa59d1da4bfb774b571

      SHA1

      336672c7334e1fbe2480ad8d4638be284fec63c6

      SHA256

      56d0810ff10aeea43882ae50f5a6d95d1a7ac6fa42728d9ff33c9c14d6cc9ec1

      SHA512

      079e974886d7cfd819108e47b0936672e3fb359d58e3a987b28dad58fbbff177b5cd8f59dd73265443459620d44565e5a7b5686db56026d748c211b42f0ca34f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES7FC0.tmp
      Filesize

      1KB

      MD5

      3cd7fbc44added6ced8aacd4e4ac5226

      SHA1

      68c239a6911cfecd74ae6367ec7473a511fd78d6

      SHA256

      4dc3edc82ccf2af480f43c74ad8c8293efcad948823895b6158789d6659ce762

      SHA512

      748938616f1dcc50de6afb073f83e21e5f25a1ccd3d7fbf1b6e0719a11ba6c664742f9f02668dde43037f9e86eba7c0ca2a40165a2b25579c3f1bb937ed486fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzmcsop3.4vf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\AForge.Video.DirectShow.dll
      Filesize

      60KB

      MD5

      17ed442e8485ac3f7dc5b3c089654a61

      SHA1

      d3a17c1fdd6d54951141053f88bf8238dea0b937

      SHA256

      666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

      SHA512

      9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\AForge.Video.dll
      Filesize

      20KB

      MD5

      0bd34aa29c7ea4181900797395a6da78

      SHA1

      ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8

      SHA256

      bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d

      SHA512

      a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\CSCore.dll
      Filesize

      519KB

      MD5

      94a312a6fcec0e78808bcea3d8ff67f5

      SHA1

      fe760487d13f9a6f5f359036561105d4aca88a1f

      SHA256

      e835139171eb0d63b6b4e02b0997cac040c02d295648a275d4c8d28b234c8e94

      SHA512

      ecdedeee1ee4e35e4fbd2dea3a4dd8b0805166a9610a63affbfb673f2644588eacecba6b3a5a0052c202ab14c321800997512abc318d36a50b00cc86dc83ec1c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\SharpDX.DXGI.dll
      Filesize

      125KB

      MD5

      2b44c70c49b70d797fbb748158b5d9bb

      SHA1

      93e00e6527e461c45c7868d14cf05c007e478081

      SHA256

      3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

      SHA512

      faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\SharpDX.Direct3D11.dll
      Filesize

      271KB

      MD5

      98eb5ba5871acdeaebf3a3b0f64be449

      SHA1

      c965284f60ef789b00b10b3df60ee682b4497de3

      SHA256

      d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

      SHA512

      a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\SharpDX.Direct3D9.dll
      Filesize

      338KB

      MD5

      934da0e49208d0881c44fe19d5033840

      SHA1

      a19c5a822e82e41752a08d3bd9110db19a8a5016

      SHA256

      02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

      SHA512

      de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\SharpDX.dll
      Filesize

      247KB

      MD5

      ffb4b61cc11bec6d48226027c2c26704

      SHA1

      fa8b9e344accbdc4dffa9b5d821d23f0716da29e

      SHA256

      061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

      SHA512

      48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\TurboJpegWrapper.dll
      Filesize

      1.3MB

      MD5

      ac6acc235ebef6374bed71b37e322874

      SHA1

      a267baad59cd7352167636836bad4b971fcd6b6b

      SHA256

      047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

      SHA512

      72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\lib_1ff7891fa0904651aeca5ed123954333\x64\turbojpeg.dll
      Filesize

      662KB

      MD5

      b36cc7f7c7148a783fbed3493bc27954

      SHA1

      44b39651949a00cf2a5cbba74c3210b980ae81b4

      SHA256

      c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

      SHA512

      c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\5lkc5msd.0.cs
      Filesize

      208KB

      MD5

      2b016afb119e25cb3fe81d09b1a1bb0c

      SHA1

      0d3374f0b9ffbe63f84209072274b675357b58fe

      SHA256

      25e9cc663d0269ce91d304c06c13a574d7b65a2328cb6a9221dd20d57fc7e543

      SHA512

      11cfc789fbac7b96f0c8239ce1b05cb61be62c2d3f25b10d7f1938d3bd90ddcee7d81567842790f2600f7c81f49f85d5391be8408ceecb7cf45156ab1b355b59

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\5lkc5msd.cmdline
      Filesize

      349B

      MD5

      677000c9e7636e08bd6883f22893b9e9

      SHA1

      395e53f0227b096d9d83840ef81e8c58d7a4f2e0

      SHA256

      5a9d1fb9890f74e5eac08c58ba9896e4c3f29115894ca1476b4a9f95a6eb7121

      SHA512

      1ae832f135802183e363c7458007273d509f03c18f8b8ad0154bbbee12ad09bf5df7e5b6617c4809a0af1b561d24fb20cf0b941630b2e504cfeeb5e8f76b4ee1

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC7FAF.tmp
      Filesize

      676B

      MD5

      6d8dacc69ca5107a33d76083cdda6435

      SHA1

      e9631dd07bff5b37a637d69e2e9e9068d669dd5d

      SHA256

      bfb18b109bdd2cfc8ad87c1d6fc55b7c128a5a083bcd157c725d5fc805d3212d

      SHA512

      80eb1fb3e76a195ef5d6af15562df867f66f430b497226432654d0af3e81d6002f9d204591d0040b0fd58bf63df1a9a31b02cbba2bc79923f131f7a4dc41da6c

      Download Submit

    • memory/1516-681-0x00007FF8891F0000-0x00007FF889224000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1516-680-0x00007FF693D50000-0x00007FF693E48000-memory.dmp

      Filesize

      992KB

      Download

    • memory/1516-682-0x00007FF86C3E0000-0x00007FF86C696000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/1516-683-0x00007FF86A7C0000-0x00007FF86B870000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/2252-227-0x000000001D460000-0x000000001D470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2252-241-0x000000001E5D0000-0x000000001E5F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2252-0-0x00007FF872535000-0x00007FF872536000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2252-61-0x000000001E5D0000-0x000000001E5DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-103-0x000000001E4C0000-0x000000001E544000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2252-165-0x00007FF872280000-0x00007FF872C21000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2252-166-0x000000001E580000-0x000000001E588000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-172-0x000000001E5A0000-0x000000001E5A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-171-0x000000001E5A0000-0x000000001E5A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-174-0x000000001E5A0000-0x000000001E5AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-175-0x000000001E650000-0x000000001E680000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2252-173-0x000000001E5A0000-0x000000001E5AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-176-0x00000000213F0000-0x0000000021464000-memory.dmp

      Filesize

      464KB

      Download

    • memory/2252-1-0x00007FF872280000-0x00007FF872C21000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2252-2-0x0000000001730000-0x000000000178C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/2252-198-0x00000000216F0000-0x00000000219EE000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2252-199-0x0000000140000000-0x000000014002C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2252-205-0x000000001E5A0000-0x000000001E5B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2252-206-0x000000001E5A0000-0x000000001E5B6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2252-207-0x000000001E5D0000-0x000000001E5FA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2252-208-0x000000001D460000-0x000000001D468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-209-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-210-0x000000001E5A0000-0x000000001E5C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2252-211-0x000000001E5D0000-0x000000001E5F6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2252-212-0x000000001E5E0000-0x000000001E620000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2252-213-0x000000001E5E0000-0x000000001E61E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2252-215-0x000000001D460000-0x000000001D468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-214-0x000000001E5D0000-0x000000001E5FC000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2252-216-0x000000001D460000-0x000000001D46A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-217-0x000000001E5D0000-0x000000001E5F4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2252-218-0x000000001E5D0000-0x000000001E5F8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2252-219-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-220-0x000000001D460000-0x000000001D46A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-221-0x000000001E5A0000-0x000000001E5BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2252-222-0x000000001E5A0000-0x000000001E5BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2252-223-0x000000001D460000-0x000000001D468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-224-0x000000001D460000-0x000000001D46A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-225-0x000000001D460000-0x000000001D46E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-226-0x000000001E5A0000-0x000000001E5B4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2252-34-0x00007FF872280000-0x00007FF872C21000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2252-228-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-229-0x000000001E5D0000-0x000000001E5F8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2252-230-0x000000001D460000-0x000000001D46A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-231-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-232-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-233-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-234-0x000000001E5A0000-0x000000001E5B4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2252-235-0x000000001E5A0000-0x000000001E5B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2252-236-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-237-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-238-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-239-0x000000001D460000-0x000000001D470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2252-240-0x000000001D460000-0x000000001D46E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-3-0x00000000013B0000-0x00000000013BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-242-0x000000001E5A0000-0x000000001E5BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2252-243-0x000000001E5A0000-0x000000001E5B4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2252-244-0x000000001E5A0000-0x000000001E5BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2252-245-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-247-0x000000001E5A0000-0x000000001E5B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2252-246-0x000000001D460000-0x000000001D46E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-248-0x000000001E5A0000-0x000000001E5B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2252-249-0x000000001D460000-0x000000001D46E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-250-0x000000001D460000-0x000000001D46A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-251-0x000000001D460000-0x000000001D468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-252-0x000000001E5A0000-0x000000001E5BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2252-253-0x000000001E5A0000-0x000000001E5BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2252-258-0x000000001E5A0000-0x000000001E5B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2252-257-0x000000001D460000-0x000000001D46E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-256-0x000000001D460000-0x000000001D468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-255-0x000000001D460000-0x000000001D468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-254-0x000000001D460000-0x000000001D468000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-259-0x000000001D460000-0x000000001D46E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-260-0x000000001D460000-0x000000001D46A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-261-0x000000001E5D0000-0x000000001E5FA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2252-262-0x000000001E5D0000-0x000000001E5F8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2252-263-0x000000001E5A0000-0x000000001E5BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2252-264-0x000000001E5D0000-0x000000001E5F6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2252-265-0x000000001D460000-0x000000001D46C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2252-266-0x000000001D460000-0x000000001D46A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-4-0x00007FF872280000-0x00007FF872C21000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2252-5-0x000000001C500000-0x000000001C9CE000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2252-6-0x000000001CA70000-0x000000001CB0C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2252-21-0x000000001CB60000-0x000000001CB76000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2252-23-0x000000001CB40000-0x000000001CB52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2252-24-0x000000001CB20000-0x000000001CB2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-25-0x000000001D060000-0x000000001D068000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-26-0x000000001CB10000-0x000000001CB18000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-27-0x00007FF872280000-0x00007FF872C21000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2252-28-0x00007FF872535000-0x00007FF872536000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2252-29-0x00007FF872280000-0x00007FF872C21000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2264-296-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-295-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-301-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-302-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-303-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-304-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-305-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-306-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-300-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-294-0x0000012D92330000-0x0000012D92331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2764-667-0x00000000660C0000-0x000000006615C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3100-33-0x00007FF86F9A3000-0x00007FF86F9A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3100-49-0x00007FF86F9A0000-0x00007FF870462000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3100-44-0x00000215D0870000-0x00000215D0892000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3100-45-0x00007FF86F9A0000-0x00007FF870462000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3100-46-0x00007FF86F9A0000-0x00007FF870462000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4296-14-0x00007FF872280000-0x00007FF872C21000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4296-19-0x00007FF872280000-0x00007FF872C21000-memory.dmp

      Filesize

      9.6MB

      Download