orcus | 3bfd1e4cae067297ea03292efbae3f59961453c71a0898433b47961771728544

Resubmissions

11-12-2024 01:48

241211-b75ccszlhx 10

Analysis

max time kernel
749s
max time network
751s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-12-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

903KB
MD5

355df37589243785512812437ef1d4b2
SHA1

45fae5fd1ce1aa7f1c239489a3e0db5ab0606128
SHA256

3bfd1e4cae067297ea03292efbae3f59961453c71a0898433b47961771728544
SHA512

e1d1c1a3b9569f55247583d0a70458d957d779a696177d61cd5daff31f5372cf1c0bc81272809c90e991bdefbe9e15e4a5b00bcf59f90028588f8157a7feeb64
SSDEEP

12288:b8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBS:I3s4MROxnF9LqrZlI0AilFEvxHiko

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

147.185.221.24:4580

Mutex

a339b99dac7845378c88498c7cef7ac5

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00290000000450cc-27.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x00290000000450cc-27.dat	orcus
behavioral1/memory/4572-32-0x0000000000E00000-0x0000000000EE8000-memory.dmp	orcus

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Orcus.exe

Executes dropped EXE 1 IoCs

pid	Process
4572	Orcus.exe

Loads dropped DLL 1 IoCs

pid	Process
4572	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	test.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	test.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	test.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	test.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	test.exe
File created	C:\Windows\assembly\Desktop.ini	test.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4572	Orcus.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	Orcus.exe
Token: 33	1060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1060	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4572	Orcus.exe
416	notepad.exe
3864	notepad.exe
1764	notepad.exe
5088	notepad.exe
2024	notepad.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4572	Orcus.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2744	4768	test.exe	82
PID 4768 wrote to memory of 2744	4768	test.exe	82
PID 2744 wrote to memory of 4744	2744	csc.exe	84
PID 2744 wrote to memory of 4744	2744	csc.exe	84
PID 4768 wrote to memory of 4572	4768	test.exe	85
PID 4768 wrote to memory of 4572	4768	test.exe	85
PID 4572 wrote to memory of 3152	4572	Orcus.exe	94
PID 4572 wrote to memory of 3152	4572	Orcus.exe	94
PID 4572 wrote to memory of 2376	4572	Orcus.exe	96
PID 4572 wrote to memory of 2376	4572	Orcus.exe	96
PID 4572 wrote to memory of 1012	4572	Orcus.exe	97
PID 4572 wrote to memory of 1012	4572	Orcus.exe	97
PID 4572 wrote to memory of 4720	4572	Orcus.exe	98
PID 4572 wrote to memory of 4720	4572	Orcus.exe	98
PID 4572 wrote to memory of 1528	4572	Orcus.exe	99
PID 4572 wrote to memory of 1528	4572	Orcus.exe	99
PID 4572 wrote to memory of 2668	4572	Orcus.exe	100
PID 4572 wrote to memory of 2668	4572	Orcus.exe	100
PID 4572 wrote to memory of 3196	4572	Orcus.exe	101
PID 4572 wrote to memory of 3196	4572	Orcus.exe	101
PID 4572 wrote to memory of 1188	4572	Orcus.exe	102
PID 4572 wrote to memory of 1188	4572	Orcus.exe	102
PID 4572 wrote to memory of 2420	4572	Orcus.exe	103
PID 4572 wrote to memory of 2420	4572	Orcus.exe	103
PID 4572 wrote to memory of 2024	4572	Orcus.exe	104
PID 4572 wrote to memory of 2024	4572	Orcus.exe	104
PID 4572 wrote to memory of 2676	4572	Orcus.exe	105
PID 4572 wrote to memory of 2676	4572	Orcus.exe	105
PID 4572 wrote to memory of 3396	4572	Orcus.exe	106
PID 4572 wrote to memory of 3396	4572	Orcus.exe	106
PID 4572 wrote to memory of 2012	4572	Orcus.exe	107
PID 4572 wrote to memory of 2012	4572	Orcus.exe	107
PID 4572 wrote to memory of 64	4572	Orcus.exe	108
PID 4572 wrote to memory of 64	4572	Orcus.exe	108
PID 4572 wrote to memory of 3700	4572	Orcus.exe	109
PID 4572 wrote to memory of 3700	4572	Orcus.exe	109
PID 4572 wrote to memory of 1236	4572	Orcus.exe	110
PID 4572 wrote to memory of 1236	4572	Orcus.exe	110
PID 4572 wrote to memory of 1164	4572	Orcus.exe	111
PID 4572 wrote to memory of 1164	4572	Orcus.exe	111
PID 4572 wrote to memory of 2108	4572	Orcus.exe	112
PID 4572 wrote to memory of 2108	4572	Orcus.exe	112
PID 4572 wrote to memory of 3380	4572	Orcus.exe	113
PID 4572 wrote to memory of 3380	4572	Orcus.exe	113
PID 4572 wrote to memory of 1912	4572	Orcus.exe	114
PID 4572 wrote to memory of 1912	4572	Orcus.exe	114
PID 4572 wrote to memory of 4360	4572	Orcus.exe	115
PID 4572 wrote to memory of 4360	4572	Orcus.exe	115
PID 4572 wrote to memory of 4348	4572	Orcus.exe	116
PID 4572 wrote to memory of 4348	4572	Orcus.exe	116
PID 4572 wrote to memory of 5088	4572	Orcus.exe	117
PID 4572 wrote to memory of 5088	4572	Orcus.exe	117
PID 4572 wrote to memory of 2056	4572	Orcus.exe	118
PID 4572 wrote to memory of 2056	4572	Orcus.exe	118
PID 4572 wrote to memory of 2272	4572	Orcus.exe	119
PID 4572 wrote to memory of 2272	4572	Orcus.exe	119
PID 4572 wrote to memory of 4608	4572	Orcus.exe	120
PID 4572 wrote to memory of 4608	4572	Orcus.exe	120
PID 4572 wrote to memory of 2636	4572	Orcus.exe	121
PID 4572 wrote to memory of 2636	4572	Orcus.exe	121
PID 4572 wrote to memory of 2292	4572	Orcus.exe	122
PID 4572 wrote to memory of 2292	4572	Orcus.exe	122
PID 4572 wrote to memory of 648	4572	Orcus.exe	123
PID 4572 wrote to memory of 648	4572	Orcus.exe	123

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3uhrsrxx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1BF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA1BE.tmp"
    3⤵
    PID:4744
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3152
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2376
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1012
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4720
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1528
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2668
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3196
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1188
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2420
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2024
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2676
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3396
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2012
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:64
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3700
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1236
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1164
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2108
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3380
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1912
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4360
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4348
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:5088
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2056
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2272
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4608
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2636
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2292
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:648
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2784
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:860
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4700
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1980
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4948
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1020
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:1764
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3916
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3792
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3924
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4920
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3408
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4632
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4712
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1976
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:708
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:5096
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2088
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1596
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3456
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:552
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1128
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3696
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4860
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:412
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2352
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4352
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2748
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4252
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3064
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3528
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2928
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:5100
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:416
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1628
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2268
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:3864
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4952
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1560
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2092
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4100
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4196
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1216
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:752
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4688
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4972
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
903KB

MD5
355df37589243785512812437ef1d4b2

SHA1
45fae5fd1ce1aa7f1c239489a3e0db5ab0606128

SHA256
3bfd1e4cae067297ea03292efbae3f59961453c71a0898433b47961771728544

SHA512
e1d1c1a3b9569f55247583d0a70458d957d779a696177d61cd5daff31f5372cf1c0bc81272809c90e991bdefbe9e15e4a5b00bcf59f90028588f8157a7feeb64

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\3uhrsrxx.dll

Filesize
76KB

MD5
ab3fdb3bf87f2dcc359b89be1d36869c

SHA1
fb713a905f94f9e99af1f128527529aaa552a79a

SHA256
475db4b956df978431150ae2d6b1d0b5fe7b2665435b9443c1b60b2541c1b02c

SHA512
751656fd8b354abb01917abad97d4d8010807e50607eb18ec159637c1182b7423106a3d7f68a9c0788f2689c6959f2cff60d366e3498be137f40aebb0b4060e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1BF.tmp

Filesize
1KB

MD5
a8d8073686eba785f7638f0d7ab4e2d6

SHA1
e93230391d487692e121e78f439bdf0dbe450661

SHA256
330882ef390a9c11b37ae1bb2d3f6e981875a43654fe664114c5d5af854889a7

SHA512
7f171692da91792efb4496678bbe625c3822779fb646f34c86adc56d758f36d1468c28870442ed16f78511225244c0a404ccab4bc7aa9a73b8c0e9154feb9ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\AForge.Video.DirectShow.dll

Filesize
60KB

MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\AForge.Video.dll

Filesize
20KB

MD5
0bd34aa29c7ea4181900797395a6da78

SHA1
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8

SHA256
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d

SHA512
a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_a339b99dac7845378c88498c7cef7ac5\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3uhrsrxx.0.cs

Filesize
208KB

MD5
a3bd4369c918cafd1e10a52c90c22c13

SHA1
5ff86206b604cdaf7b7a34bdb55263f49c5929ff

SHA256
c13a3424f51e0a8bc3c9341744364588b2c548b0cdd71e02b7c0f8aa9971fa81

SHA512
31a07da583710c51132f425bd59e6c46934c5a2467a5a31783a71bfc1a5e5d2bcf852e7964e68e09946f1d3b9ba3fd1a8977b74735d4f67169982282bbf4cfc7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3uhrsrxx.cmdline

Filesize
349B

MD5
cbf9aa391a62d5166ce973222af8181e

SHA1
405ae7d2e52e05e22a717ff9229daab7d622d48d

SHA256
e293a85c184b91a57dfc46768a9459121bcba86ea500da207a3e4bb9bbbab57e

SHA512
0ecf80611f2cbabde46066aaad7978ec80d4bfc1937ac06a5e6375f3f84a65061ebb08c271dee28a47bcd229e5e576927ea5af6a64754242796ff23d459c4f0e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA1BE.tmp

Filesize
676B

MD5
a59201994b80fc301d8c895006a98dc2

SHA1
b870c36ae2c83e93e5a3d7a19f3c0c2859a2f823

SHA256
53d2a51a5a98c82892f43afca1a3d8c70748df956780ce71af3a58de19e00aa3

SHA512
7e6a0b1ada347f1eb9dc93bd8b6e9d3d6b558c550322a9134d585ec274fa909f1ce53c337ca0aa744a11d9988b8f0cc2189710f13c092b1495f64dfd1d9562c9

Download Submit
memory/2744-19-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

Filesize
9.6MB

Download
memory/2744-21-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

Filesize
9.6MB

Download
memory/4572-33-0x000000001BA40000-0x000000001BA52000-memory.dmp

Filesize
72KB

Download
memory/4572-85-0x000000001D880000-0x000000001D8A6000-memory.dmp

Filesize
152KB

Download
memory/4572-32-0x0000000000E00000-0x0000000000EE8000-memory.dmp

Filesize
928KB

Download
memory/4572-109-0x00000000210A0000-0x000000002114A000-memory.dmp

Filesize
680KB

Download
memory/4572-34-0x000000001BA50000-0x000000001BA68000-memory.dmp

Filesize
96KB

Download
memory/4572-102-0x00000000660C0000-0x000000006615C000-memory.dmp

Filesize
624KB

Download
memory/4572-35-0x000000001CB00000-0x000000001CB10000-memory.dmp

Filesize
64KB

Download
memory/4572-38-0x000000001DB10000-0x000000001DB22000-memory.dmp

Filesize
72KB

Download
memory/4572-39-0x000000001DB70000-0x000000001DBAC000-memory.dmp

Filesize
240KB

Download
memory/4572-40-0x000000001DEA0000-0x000000001DFAA000-memory.dmp

Filesize
1.0MB

Download
memory/4572-41-0x000000001E180000-0x000000001E342000-memory.dmp

Filesize
1.8MB

Download
memory/4572-42-0x00007FF931843000-0x00007FF931845000-memory.dmp

Filesize
8KB

Download
memory/4572-45-0x000000001CA50000-0x000000001CA5C000-memory.dmp

Filesize
48KB

Download
memory/4572-93-0x000000001E6B0000-0x000000001E804000-memory.dmp

Filesize
1.3MB

Download
memory/4572-53-0x000000001CA20000-0x000000001CA36000-memory.dmp

Filesize
88KB

Download
memory/4572-30-0x00007FF931843000-0x00007FF931845000-memory.dmp

Filesize
8KB

Download
memory/4572-61-0x000000001CAB0000-0x000000001CAF4000-memory.dmp

Filesize
272KB

Download
memory/4572-77-0x000000001E0B0000-0x000000001E10A000-memory.dmp

Filesize
360KB

Download
memory/4572-69-0x000000001D830000-0x000000001D87A000-memory.dmp

Filesize
296KB

Download
memory/4768-7-0x000000001CD50000-0x000000001D21E000-memory.dmp

Filesize
4.8MB

Download
memory/4768-8-0x000000001D2C0000-0x000000001D35C000-memory.dmp

Filesize
624KB

Download
memory/4768-6-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

Filesize
9.6MB

Download
memory/4768-23-0x000000001D980000-0x000000001D996000-memory.dmp

Filesize
88KB

Download
memory/4768-5-0x000000001C870000-0x000000001C87E000-memory.dmp

Filesize
56KB

Download
memory/4768-25-0x0000000001580000-0x0000000001592000-memory.dmp

Filesize
72KB

Download
memory/4768-2-0x000000001BD60000-0x000000001BDBC000-memory.dmp

Filesize
368KB

Download
memory/4768-1-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

Filesize
9.6MB

Download
memory/4768-0-0x00007FF933EF5000-0x00007FF933EF6000-memory.dmp

Filesize
4KB

Download
memory/4768-31-0x00007FF933C40000-0x00007FF9345E1000-memory.dmp

Filesize
9.6MB

Download