orcus | e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xda.exe
Size

3.0MB
MD5

cf6aa82e9cb164a4ddd30a1f77db1eb7
SHA1

60790744a396419695221c39aee74672bc67fa66
SHA256

e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700
SHA512

e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09
SSDEEP

49152:XzTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmWrZEIN:XzTtODUKTslWp2MpbfGGilIJPypSbxE8

Score

10^/10

orcus defense_evasion discovery evasion persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

89.23.100.155:1337

Mutex

d058ef377b7f46bea0e52b669562775b

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2064-22-0x0000000000430000-0x000000000043A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Orcus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	xda.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173a3-237.dat	family_orcus

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Orcus.exe

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/memory/2064-53-0x000000001C9F0000-0x000000001CCF0000-memory.dmp	orcus
behavioral1/files/0x00080000000173a3-237.dat	orcus

Executes dropped EXE 6 IoCs

pid	Process
2244	WindowsInput.exe
2772	WindowsInput.exe
2268	Orcus.exe
1584	Orcus.exe
2756	OrcusWatchdog.exe
2632	OrcusWatchdog.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	xda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xda.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	Orcus.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	xda.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	xda.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	xda.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	xda.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	xda.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	powershell.exe
572	powershell.exe
2268	Orcus.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe
2268	Orcus.exe
2632	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2268	Orcus.exe
Token: SeDebugPrivilege	2756	OrcusWatchdog.exe
Token: SeDebugPrivilege	2632	OrcusWatchdog.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2268	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2268	Orcus.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2504	2064	xda.exe	30
PID 2064 wrote to memory of 2504	2064	xda.exe	30
PID 2064 wrote to memory of 2504	2064	xda.exe	30
PID 2504 wrote to memory of 1956	2504	csc.exe	32
PID 2504 wrote to memory of 1956	2504	csc.exe	32
PID 2504 wrote to memory of 1956	2504	csc.exe	32
PID 2064 wrote to memory of 2244	2064	xda.exe	33
PID 2064 wrote to memory of 2244	2064	xda.exe	33
PID 2064 wrote to memory of 2244	2064	xda.exe	33
PID 2064 wrote to memory of 2036	2064	xda.exe	36
PID 2064 wrote to memory of 2036	2064	xda.exe	36
PID 2064 wrote to memory of 2036	2064	xda.exe	36
PID 2064 wrote to memory of 2268	2064	xda.exe	38
PID 2064 wrote to memory of 2268	2064	xda.exe	38
PID 2064 wrote to memory of 2268	2064	xda.exe	38
PID 2268 wrote to memory of 572	2268	Orcus.exe	40
PID 2268 wrote to memory of 572	2268	Orcus.exe	40
PID 2268 wrote to memory of 572	2268	Orcus.exe	40
PID 1620 wrote to memory of 1584	1620	taskeng.exe	42
PID 1620 wrote to memory of 1584	1620	taskeng.exe	42
PID 1620 wrote to memory of 1584	1620	taskeng.exe	42
PID 2268 wrote to memory of 2756	2268	Orcus.exe	43
PID 2268 wrote to memory of 2756	2268	Orcus.exe	43
PID 2268 wrote to memory of 2756	2268	Orcus.exe	43
PID 2268 wrote to memory of 2756	2268	Orcus.exe	43
PID 2756 wrote to memory of 2632	2756	OrcusWatchdog.exe	44
PID 2756 wrote to memory of 2632	2756	OrcusWatchdog.exe	44
PID 2756 wrote to memory of 2632	2756	OrcusWatchdog.exe	44
PID 2756 wrote to memory of 2632	2756	OrcusWatchdog.exe	44

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	Orcus.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xda.exe
"C:\Users\Admin\AppData\Local\Temp\xda.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2064
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8vxnxsxe.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC784.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC783.tmp"
    3⤵
    PID:1956
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2268
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2268
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2632

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\taskeng.exe
taskeng.exe {7C0A4BF8-25D9-41F5-93E2-22144E98FD74} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
cf6aa82e9cb164a4ddd30a1f77db1eb7

SHA1
60790744a396419695221c39aee74672bc67fa66

SHA256
e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700

SHA512
e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09

Download Submit
C:\Users\Admin\AppData\Local\Temp\8vxnxsxe.dll

Filesize
76KB

MD5
71c58df604eb1d7bd55273e713f05953

SHA1
907a5ab5f37bdbe29257c066a28731a8c2545e60

SHA256
b053a76902a0701eb9379be95afb917cb1b5d120115933d1e7259c9dfe881111

SHA512
1ae4ae45458bf1fc7cad0bd0c119d21ad6b37fc0f60eb7ed783f63b3e1e6bd75fb3bfbc213fd83664525e9bdfd469d72cf7052ac36352f29109d1b9da4508f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab44DD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC784.tmp

Filesize
1KB

MD5
951d656e1ac0c25e9708c359d9cc7035

SHA1
0e3830532b7958a95731548c622b84f2c65e88c1

SHA256
f7314d1b5ff88a3df2ff7bcc989de5f1a99c1f0d6ae9d79cb5bc8960462c1893

SHA512
64cb1229ffc0b285ef91f05931329bb1f3a8c2d558cd1bcd7916b16396d635cd2ba1c2f0c704c1014f73ad89d10aa39daad2ab0e8e25cf931393e3cf8c89733d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar458B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5d8437e476e0a4db325bea03a069f738

SHA1
5f52d5d595e9ee2980ad064aa36c5b2db8b7c790

SHA256
637037cbe7c9beebf33787543a80fdf8f46039e9ab3e45283a6ee9e10df041da

SHA512
8a5eeb42f4bff868761651ab17a2c714f6f78055349aa7fd00b143ad27eb4455fc2114e1fe3715f2eccd3c3ec4aef42b24c5643c2a8e3877da182e2c06f012c6

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
7a195b6c9de2d5cab015f649da6931a1

SHA1
89f7372dd92a90a8e13b74ee512b464412e4cf9b

SHA256
30183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc

SHA512
3c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
f6285edd247fa58161be33f8cf662d31

SHA1
e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470

SHA256
bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec

SHA512
6f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8vxnxsxe.0.cs

Filesize
208KB

MD5
d9f26c56ba4d303302b58923e3f3b601

SHA1
145d52165ef6092193233b7e80013a6e8a848e53

SHA256
1abe714f9efc1de74cb7cfbbb98f90e74fca759f4e43ee79899120b95d3f3dee

SHA512
81cb00a99c695f2df192754c1c12374ec108688486d956089a60e249bf250b92bad1ed5f2a1155d7eaa9f15c1131778751b5d4e5707c3744c6a2bd5c6755379a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8vxnxsxe.cmdline

Filesize
349B

MD5
253b36671f5f05af438355591a9df795

SHA1
b2ce3b50f04b8584b335482d89a0c95bd1c7bcf3

SHA256
992ba2c10c77473c71f8c4c2bd6a923d9ca3ac38cdfba9d598192e7253fdcd48

SHA512
7974ced5433ab23ef76ad85d9a294a3da62e461290c80606dad492f745d8f5745a9b6a4c06d42de0d765d808a8ad91b19fccd78545fe488c788e9758c6a9bea7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC783.tmp

Filesize
676B

MD5
68ffab5e43ac72435b92f410095e545d

SHA1
d8eff658ffc86da664f6bdfb6c7c6a549723fda6

SHA256
0280a7a0ab18c98fe0c9cad77c9d131cd4ebdbbe142bd8d8e52174918d42db9e

SHA512
e8aad91db24598b5b7676f54e7d7d349ad77d1caff006fcc6162b684166ae0acd60f2ea90b3a68ec1914ab3605536ecc0bacc5f57f32c4e50a7508c47705610e

Download Submit
memory/2036-44-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2036-43-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2064-85-0x000000001C570000-0x000000001C645000-memory.dmp

Filesize
852KB

Download
memory/2064-92-0x000000001B610000-0x000000001B624000-memory.dmp

Filesize
80KB

Download
memory/2064-22-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2064-0-0x000007FEF53FE000-0x000007FEF53FF000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x0000000000450000-0x00000000004AC000-memory.dmp

Filesize
368KB

Download
memory/2064-2-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2064-21-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2064-19-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/2064-45-0x000000001B640000-0x000000001B696000-memory.dmp

Filesize
344KB

Download
memory/2064-53-0x000000001C9F0000-0x000000001CCF0000-memory.dmp

Filesize
3.0MB

Download
memory/2064-55-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-56-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2064-57-0x000000001B610000-0x000000001B628000-memory.dmp

Filesize
96KB

Download
memory/2064-58-0x000000001B5F0000-0x000000001B62B000-memory.dmp

Filesize
236KB

Download
memory/2064-59-0x000000001B610000-0x000000001B626000-memory.dmp

Filesize
88KB

Download
memory/2064-60-0x000000001B620000-0x000000001B64A000-memory.dmp

Filesize
168KB

Download
memory/2064-61-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2064-62-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2064-63-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2064-64-0x000000001C6F0000-0x000000001C7FA000-memory.dmp

Filesize
1.0MB

Download
memory/2064-65-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-66-0x000000001B610000-0x000000001B630000-memory.dmp

Filesize
128KB

Download
memory/2064-67-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2064-68-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2064-69-0x000000001B5F0000-0x000000001B62B000-memory.dmp

Filesize
236KB

Download
memory/2064-70-0x000000001B610000-0x000000001B622000-memory.dmp

Filesize
72KB

Download
memory/2064-71-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2064-72-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-73-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-74-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-75-0x000000001B610000-0x000000001B62E000-memory.dmp

Filesize
120KB

Download
memory/2064-76-0x000000001B610000-0x000000001B62E000-memory.dmp

Filesize
120KB

Download
memory/2064-77-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2064-78-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2064-79-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-80-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2064-81-0x000000001B610000-0x000000001B624000-memory.dmp

Filesize
80KB

Download
memory/2064-82-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/2064-83-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-84-0x000000001B620000-0x000000001B64A000-memory.dmp

Filesize
168KB

Download
memory/2064-3-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2064-86-0x000000001B620000-0x000000001B648000-memory.dmp

Filesize
160KB

Download
memory/2064-87-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2064-88-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-89-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-90-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-91-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-23-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2064-93-0x000000001B610000-0x000000001B628000-memory.dmp

Filesize
96KB

Download
memory/2064-94-0x000000001B610000-0x000000001B628000-memory.dmp

Filesize
96KB

Download
memory/2064-95-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2064-96-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-97-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-98-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-99-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/2064-100-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2064-101-0x000000001B620000-0x000000001B642000-memory.dmp

Filesize
136KB

Download
memory/2064-102-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2064-103-0x000000001B620000-0x000000001B64C000-memory.dmp

Filesize
176KB

Download
memory/2064-104-0x000000001B610000-0x000000001B624000-memory.dmp

Filesize
80KB

Download
memory/2064-106-0x000000001B610000-0x000000001B62A000-memory.dmp

Filesize
104KB

Download
memory/2064-107-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-105-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2064-108-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2064-109-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-110-0x000000001B630000-0x000000001B670000-memory.dmp

Filesize
256KB

Download
memory/2064-111-0x000000001B610000-0x000000001B622000-memory.dmp

Filesize
72KB

Download
memory/2064-112-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2064-113-0x000000001B620000-0x000000001B644000-memory.dmp

Filesize
144KB

Download
memory/2064-114-0x000000001B620000-0x000000001B648000-memory.dmp

Filesize
160KB

Download
memory/2064-115-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-116-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2064-117-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2064-118-0x000000001B610000-0x000000001B62C000-memory.dmp

Filesize
112KB

Download
memory/2064-119-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2064-120-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2064-121-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/2064-122-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2064-123-0x000000001B610000-0x000000001B622000-memory.dmp

Filesize
72KB

Download
memory/2064-124-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/2064-125-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-126-0x000000001B620000-0x000000001B64A000-memory.dmp

Filesize
168KB

Download
memory/2064-127-0x000000001C570000-0x000000001C645000-memory.dmp

Filesize
852KB

Download
memory/2064-128-0x000000001B620000-0x000000001B648000-memory.dmp

Filesize
160KB

Download
memory/2064-129-0x000000001B610000-0x000000001B62E000-memory.dmp

Filesize
120KB

Download
memory/2064-130-0x000000001B620000-0x000000001B646000-memory.dmp

Filesize
152KB

Download
memory/2064-131-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-132-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/2064-133-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2064-4-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2244-31-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2504-10-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2504-17-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2772-35-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

Filesize
48KB

Download