orcus | 6d93347f32f5046a8dff6e59d67f43e1e0c11f51ca718c85e55246a57e49c22c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT.exe
Size

903KB
MD5

abd73de056896e77aef3e771088a4752
SHA1

c3071c37a40d56694ee2fe0624c0dddeb72041b3
SHA256

6d93347f32f5046a8dff6e59d67f43e1e0c11f51ca718c85e55246a57e49c22c
SHA512

ac32cc3017e996d1ad7755ee7da80c266e432a652bbff5fa136e840ffa11c5c3cd26d9b50094d8df257eb5289abb8e53b9b030a3504f821a4f9592b9d8aedf30
SSDEEP

12288:50XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCBfm9rR6W7BaepBwzo7dG1lFlWR:2am4MROxnF4HrrcI0AilFEvxHPRZoo1

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

195.88.218.126:10134

Mutex

7c04bcf8b3a04c3c8433437cb1b3ce73

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/memory/1316-1-0x0000000000950000-0x0000000000A38000-memory.dmp	orcus

Loads dropped DLL 15 IoCs

pid	Process
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe
1316	RAT.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
2472	msedge.exe
2472	msedge.exe
4852	identity_helper.exe
4852	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	RAT.exe
Token: 33	2728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2728	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3668	1316	RAT.exe	94
PID 1316 wrote to memory of 3668	1316	RAT.exe	94
PID 1316 wrote to memory of 3668	1316	RAT.exe	94
PID 3668 wrote to memory of 2456	3668	vbc.exe	96
PID 3668 wrote to memory of 2456	3668	vbc.exe	96
PID 3668 wrote to memory of 2456	3668	vbc.exe	96
PID 2472 wrote to memory of 1900	2472	msedge.exe	99
PID 2472 wrote to memory of 1900	2472	msedge.exe	99
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 3984	2472	msedge.exe	100
PID 2472 wrote to memory of 4656	2472	msedge.exe	101
PID 2472 wrote to memory of 4656	2472	msedge.exe	101
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102
PID 2472 wrote to memory of 2068	2472	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\RAT.exe
"C:\Users\Admin\AppData\Local\Temp\RAT.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9330.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc932F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5ed746f8,0x7ffa5ed74708,0x7ffa5ed74718
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1925297278131111815,12131536919112655279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2df5cdf9ad7020a675fca2c787cc7fd0

SHA1
370f68a576e998c5984f5c89f9c30720b3badd12

SHA256
954503660e84cfee9300fece28c5e4f8226f1f3b093f7bbc92b101cafa38fcb8

SHA512
05dab907e77460ca5902af80744d567da81042c75772d44ec9c7abbb6a6d513eb62d708c281eaa74b9b8e38e1a10c3cfb4d9574c88db5803dd5715ecedf62ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12894b06fe97d03b1d2deee03f165032

SHA1
93cd95d8af9f3c783d495443c4373b351ef75783

SHA256
a290d638df18dcc5f782a0f9ea4fd70d5d7b549de4a7a794c9fe5f6038f26c2c

SHA512
4b34ded7861f87313b5f493715b47bf596148d445d16ff52fd7bcb45f34ca67fd57714330e8ca74b49993f6a12e6b086916ec99d075b8923d22c43d8ec664007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7154a4bcbd9481b2605ba6ceb413aad4

SHA1
3799f30f903112a51a6f9a1271306d42e26e779d

SHA256
2a110ee391726afffd82d2f836847ac78f2e1eadd0c2eb57ebf8407ceafc2c0e

SHA512
3be5f4f7ab2d90450426da3551f87c6abafd13b99b629a147bcc01905590fc4018f86692bafea792dec2ea19f60b459d6398584709dc4a6c82bb8d9e060eee01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9330.tmp

Filesize
1KB

MD5
6c0ebd0e0a77cad2f72891a02a1f2225

SHA1
eca5a991c3f156abb2bd372032cd5af8d5834141

SHA256
3ca465fee8f284100c3e98607de12b81b484e5cf7270a9683c4b081f8570e687

SHA512
0adc8ec208ba4de05b8d717c897c9c187d041ea7046c83c07b52d126654defe1a029e22e3c4646efb12f9a8d6f27d90125ab2a317ec8ec4f34baba3e2f463e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.0.vb

Filesize
250B

MD5
0a43dfa95cb44176347e31049a66f71f

SHA1
6d7d6633e4981c6fafb0fd4022b0d379bd9eb417

SHA256
709389aaeaaf573b3642710488e63f16ff74358b5c2208c66ae538fe0eb781b4

SHA512
e507daf5adfbed7af1f6c7aca453adf0cbc996287ed6fbcc965aaf28ff8e5c7d1b2329d97c0acaa7998a4ebe014bc5b5cbdc5e7158d02a2187b3213d5e613f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.cmdline

Filesize
268B

MD5
55e34ac86a6b50bf598b49c838cf688d

SHA1
9ef8f8e20e6296076df42a35cdb97da55f359a91

SHA256
ea95bc7667531ab0d20a4be001600d3e97559ac022d34cc84fbe2e353f59b008

SHA512
96992c333c5a4b1ac1e1f35e4067c208c55e87feb851ebd7bb8f29905b3cf56a047961f998f7ccf715a878e2336293561051b21c29526ab742a0b5ec978433d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4flzv0t\a4flzv0t.dll

Filesize
6KB

MD5
69fd480476e88b5021186629d7b26bc0

SHA1
2c6128c7354474594b1c13c87fa3e02ae0f012c2

SHA256
1aebe8d1de91874685509e023177c4fda29f621c010944244ae91ea5ecf1a7c1

SHA512
d46b25348922e116861f089e8191ff30d66673e50138c48a91bcae2b63bca74fc0fc5b74427d05084d95e0846e4c38c4c20b196bddbe6ebb49b8a8889f8d1309

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc932F.tmp

Filesize
652B

MD5
3b18d78a05359a9a4085233b47c36dc0

SHA1
4b3de13dc448611da510a545f10149aa7af27779

SHA256
a07e4aac7dd212e6c3ab5592177cfe8fc53c52d7a71681ec722e2f44fe324391

SHA512
9d5b36c95e5a6b886880b162813c4a82b7f3c8e638445e91caf4e2a56d378157ae09434491abb54c00cdec7c94d3eec9d749ec4c6ffdccada357f42d6c0c7e04

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\CSCore.dll

Filesize
516KB

MD5
dde3ec6e17bc518b10c99efbd09ab72e

SHA1
a2306e60b74b8a01a0dbc1199a7fffca288f2033

SHA256
60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8

SHA512
09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\OpusWrapper.dll

Filesize
843KB

MD5
bf0ef47bea0139b87d42a449a0240101

SHA1
37b65cd6830088707be692d4602b10062a46b91a

SHA256
07ec44bca9b44de3b22f9d212db3ecc5191201e27e4310d7bb2b199deffbab5a

SHA512
830c5b380c844a8490cf482ef4ca4821b6185f5fd204c3edf21de0b449727448835b9cbfb103eb74aa91f05abb7390ed1c0ed5e815a7101d9127fc38382daa8a

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_7c04bcf8b3a04c3c8433437cb1b3ce73\x86\turbojpeg.dll

Filesize
646KB

MD5
82898ed19da89d7d44e280a3ced95e9b

SHA1
eec0af5733c642eac8c5e08479f462d1ec1ed4db

SHA256
5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29

SHA512
ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682

Download Submit
memory/1316-15-0x0000000006880000-0x00000000068E6000-memory.dmp

Filesize
408KB

Download
memory/1316-71-0x0000000009660000-0x000000000973A000-memory.dmp

Filesize
872KB

Download
memory/1316-33-0x0000000006280000-0x00000000062CA000-memory.dmp

Filesize
296KB

Download
memory/1316-21-0x0000000007910000-0x0000000007AD2000-memory.dmp

Filesize
1.8MB

Download
memory/1316-40-0x0000000006330000-0x000000000638A000-memory.dmp

Filesize
360KB

Download
memory/1316-47-0x00000000062D0000-0x00000000062F6000-memory.dmp

Filesize
152KB

Download
memory/1316-20-0x0000000006ED0000-0x0000000006FDA000-memory.dmp

Filesize
1.0MB

Download
memory/1316-19-0x0000000006D50000-0x0000000006D9C000-memory.dmp

Filesize
304KB

Download
memory/1316-54-0x0000000007DC0000-0x0000000007F14000-memory.dmp

Filesize
1.3MB

Download
memory/1316-18-0x0000000006D10000-0x0000000006D4C000-memory.dmp

Filesize
240KB

Download
memory/1316-61-0x0000000007FB0000-0x0000000008036000-memory.dmp

Filesize
536KB

Download
memory/1316-64-0x0000000008670000-0x0000000008B9C000-memory.dmp

Filesize
5.2MB

Download
memory/1316-65-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-66-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-17-0x0000000006920000-0x0000000006932000-memory.dmp

Filesize
72KB

Download
memory/1316-26-0x0000000006030000-0x0000000006074000-memory.dmp

Filesize
272KB

Download
memory/1316-16-0x00000000072F0000-0x0000000007908000-memory.dmp

Filesize
6.1MB

Download
memory/1316-1-0x0000000000950000-0x0000000000A38000-memory.dmp

Filesize
928KB

Download
memory/1316-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/1316-12-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-11-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/1316-10-0x0000000006270000-0x000000000627A000-memory.dmp

Filesize
40KB

Download
memory/1316-89-0x00000000091E0000-0x00000000091E8000-memory.dmp

Filesize
32KB

Download
memory/1316-9-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/1316-8-0x0000000005950000-0x0000000005968000-memory.dmp

Filesize
96KB

Download
memory/1316-7-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/1316-6-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1316-5-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/1316-4-0x0000000005290000-0x00000000052EC000-memory.dmp

Filesize
368KB

Download
memory/1316-3-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-2-0x00000000013E0000-0x00000000013EE000-memory.dmp

Filesize
56KB

Download
memory/3668-78-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download